A Little .Mac Security Flaw

deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."

Apple's response?

[PFAK]

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

Re:Apple's response?

[mboverload]

> Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

0H N0ES U DIDNT APPLE IS TEH PERFECT

Re:Apple's response?

[kaos07]

I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.

However Apple, like most corporations, clearly hasn't heard of the "Streisand effect" http://en.wikipedia.org/wiki/Streisand_effect

Re:Apple's response?

[aliquis]

No, how they handle every flaw and criticism is facinating, in a bad way.

I still haven't decide if I should like them or not, I guess they are as bad as Microsoft.

Re:Apple's response?

[slyn]

I can't wait until the day that Barbra Streisand denies there being such a thing as the Streisand effect, and the world enters an infinite loop and esplodes.

Re:Apple's response?

[the_womble]

It may be bad technical practice, it is excellent business practice.

Their main competitor is MS. As long as their users remain less likely to have security problems than MS's users, they do not have a problem. They have no reason to waste resources on security.

What are users who are not happy with Apple over this going to do? Switch to Windows?

Re:Apple's response?

[hankwang]

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"?

From the forums Terms of Service: Post constructive comments and questions. Unless otherwise noted, your Submission should either be a technical support question or a technical support answer. Constructive feedback about product features is welcome as well. If your Submission contains the phrase "Im sorry for the rant, but" you are likely in violation of this policy.

We cannot see what the deleted discussion looked like, but I think a topic starter like "How do I secure my iDisk?" is much less likely to be deleted than "Apple's iDisk has horrible security", even if the former leads to a heated discussion.

Re:Apple's response?

[d20_techie]

I am not a Mac Fan Boy. I see quite clearly Apple's mistakes, yet I love Apple. I admit to the fact they are flawed, just like Microsoft and every distribution of *nix out there. If Operating Systems were designed to be perfect we would not have so many of them. Now, as for the article. It is crap. There is, and you could find this out very quickly if you used .Mac as I have for two years, a logout button. Whenever I accessed my E-mail or Homepage or anything else tied into .Mac I was able to logout of .Mac and have never had any issues with having my privacy breached. When I was using .Mac I always intended to start using the other features more frequently, but I almost never used it for more than e-mail. So I cancelled my account as it is stupid to $100 a year for an e-mail account. Granted it had MUCH better spam control than yahoo, but at least yahoo is free.

Re:Apple's response?

[gaelfx]

That is exactly what I thought when I first read this, and you will have to forgive the ensuing ignorance that I am about to graffiti /. with because I am in China and wikipedia is difficult to access this week (maybe next week I'll be smarter ;) ). But I think the problem is that the post appears to have been disregarded. What Apple could have done is to write an email response to the poster (unless they did so anonymously) or at least put up a vague nod to the fact that they are working on this issue and that more posts on it are unnecessary/detrimental to their efforts to fix this problem. It's easy to let people know that you are aware of a problem without letting many people know what it is, software companies do this all the time. Another thing they should realize is that, by treating this post in this way, the security issue will become bigger news and thereby make it an even bigger issue (for this I cite the fact that /. has this posted on the frontpage, replete with instructions about how to perform said "hack"). That's the blunder in this whole mess that is not very forgivable, and is a lesson they should have learned from Microsoft trying to "deal" with IE vulnerabilities. ~is using a mac to write this, does not use .mac~

Re:Apple's response?

[1u3hr]

I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.

Apple can't take it down from anywhere else, (eg, here) so all it does is make them look like assholes, it protects no one. Any malicious types will know about this now, people are vulnerable and may not know it because of this.

Re:Apple's response?

[fastest+fascist]

or c) "Hey, this system could compromise my data! I'd better stop using it until they fix it! Thanks for the heads-up!"

Re:Apple's response?

[Provocateur]

Reponse to apple: Think you're so smug, eh? Let me use this Time Machine to show you that I did post said article. Now let me hit the back button on this brows
 
/*head explodes

Re:Apple's response?

[Senjaz]

No you're not and you won't be the only one to take it the wrong way either. Apple has a well known public bug tracking system called the radar, stuff like this should be posted there. Not on Apple's discussion forums. If you want to discuss it else where then do so, but bitching about a problem without reporting it through proper channels is not going to help at all.

Re:Apple's response?

[failedlogic]

If most people never saw the thread, did it exist in the first place?

Re:Apple's response?

[PopeRatzo]

I want to know where the "haha" tag is for this story. It's usually the first one you find whenever a security flaw of this magnitude is discovered in one of the top two operating systems.

Oh. I get it now.

[disclaimer: I actually adore the Macintosh operating system and I've got a dual G5 tower sitting under my desk. It's just that I love dicking with the mac fans who get all red in the face whenever something challenges their Weltanschauung.]

Re:Apple's response?

[DurendalMac]

Seems more to me that Apple tries to shut people up about it while trying to get it fixed. Not the best way to do it, but I don't think they're ignoring these issues.

Re:Apple's response?

[Ilgaz]

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me. It will be the same thing happening if same kind of issue is reported to Mozilla forums, Apache forums or anything. Security alerts should be sent to vendor directly and/or other vendors who may be interested. Not public. Even online games carry same rules. Try posting a thing like "This will sure crash your opponents machine on WoW" to WoW official forums, see what happens.

I am not defending Apple's ignorance and lack of security on such an expensive service but:

1) Did he post it to Apple bug reporter ( bugreporter.apple.com ) using "Security" from drop down menu?
2) Did he post it to security vendors (e.g. Intego would love this!) if Apple ignored the issue?
3) Did he post it to a lower profile mailing list such as Apple e-lists?

Publicly post a security issue to a general population, open web board which is intended for user to user support and get post deleted? Lets call Apple "bad guys" but lets not forget the security issues shouldn't be posted to general public. If he thinks he is punishing Apple, he is not doing it. Apple will continue to sell that overpriced thing to their die-hard users, the .Mac users (real victims) get further punished and risked instead.

Apple support forums are for people who wants semi-official support from Apple and they belong to Apple Inc./Admins. Usenet on the other hand is free, open and vendor neutral. If he posted same thing to Usenet, he would be flamed for same reasons though.

Re:Apple's response?

[fattybob]

funny - i just checked my .mac idisk and it is now steadily asking for access to keychain, or asking me to log in when ever i do anything - perhaps this has just been implemented, or the original post gave safari access to his keychain having saved his password there (not sure i like keychain that much myself, but i don't have any issues with it either), which then automates the frequent log ins - any others notice a change, or is it just an inaccurate post for a bit of mac bashing - soon to replace windoze bashing. Personally, i use both equally, and linux occasionally - for serious stuff, but if a i had to lose one - i know which OS i would choose to live with, and it works and has not progressively got more dis-functional with every "upgrade" it gets (i used to like win2k, until it got upgraded back to win98 or whatever they called it!

Slant much?

[Osty]

I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.

Re:Slant much?

[blowdart]

People say this a lot, but I wonder just how true it is.

Ah you must be new. Welcome to slashdot.

Re:Slant much?

[onefriedrice]

> If this were a Microsoft property, people would be screaming bloody murder.

And those people would be wrong, though there is less of a chance they would be corrected since people generally distrust Microsoft around here. There's nothing wrong with that, since Microsoft genuinely does very little to gain our trust.

Regarding this .Mac security flaw, it seems like a serious problem, and I'm surprised it has taken so long for anyone to realize the problem with not providing an interface for logging out. The fallacy many people are coming up with, however, is that Apple's decision to aggressively moderate their support forums is an indication of their position on security. It's not. It's unlikely that their security programmers are the same people who moderate user forums.

The fact that Apple's forum moderators aggressively remove certain posts does not reflect Apple's attitude towards security. It doesn't mean they're sweeping problems under the rug, etc. Their _track record_ is the only thing that will provide you with that sort of information. How long does it take them to address security flaws? Etc, etc. There is definitely a system put into place to allow users to report bugs (and even feature requests, etc.) directly to those who can use that information, and the support forums are not that system.

Clear private data

[linuxci]

Tools > Clear Private Data in Firefox is the option you need.

Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.

Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.

Re:Clear private data

[QuantumG]

1. Clear private data in Firefox doesn't delete cookies by default.. you need to select that option.
2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?
3. Many other sites do too.. it's called convenience.

Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

Re:Clear private data

[Osty]

2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?

Slashdot has a "public" option. If you click that when you log in, your login state is only stored for the session and freed when you close the browser.

3. Many other sites do too.. it's called convenience.

Many other sites also implement a "public" mode like Slashdot has. Just as two other examples, Microsoft's Outlook Web Access (OWA) lets you choose "public" or "private" when you login, and Microsoft's Passport/Windows Live ID gives you the option to save email + password, just email, or nothing (the latter two are effectively session-only logins, as you still need the user's password in order to login subsequently). As well, every other site also has the ability to logout, which .Mac is missing.

Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.

A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time. If you only choose the latter, like .Mac, you must also provide a "logout" option. Anything less is a security violation.

Re:Clear private data

[naasking]

A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time.

The server cannot trust an unknown browser to expire the cookie and the server cannot detect when a remote browser has been closed, so the GP is right: a timeout is an arbitrary solution, and there is no good metric for choosing a timeout. Fortunately, the security properties of iDisk contain no flaw that doesn't already exist in a session/login-based web app. Fact is, this "flaw" is simply not a flaw at all.

Re:Clear private data

[skinfitz]

2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design? Slashdot also has a logout link, but most importantly the last time I checked Slashdot wasn't sold as a service where you could securely keep your most personal files in a remotely accessible disk.

The worst thing that could happen if someone got into a /. account would be the burning of karma.

Re:Clear private data

[SoulRider]

I have to agree with this. Any web developer who thinks their users are clicking that logout button and not the little red X in the upper right hand corner are just deluding themselves. Most users think the X means the eXit button

Re:Clear private data

[drewcosten]

Maybe I'm looking at the wrong screen, but I've always seen a Log Out option near the top right corner of the page (right below the Search box) when I've logged into .Mac on Safari.

Re:Clear private data

[bizard]

And in Safari, you can turn on the 'Private Browsing...' option so that as soon as you close the window, all private data is cleared. However, I agree that it is not really a solution. What is odd is that the main portion of .Mac actually has two logout buttons. It is only the iDisk access which lacks it.

Re:Clear private data

[Falstius]

The fact that we can compare the security model of Slashdot and iDisk and reasonably argue that Slashdot's is better is enough of a condemnation of the iDisk service. I don't care if someone gets access to my Slashdot account, they'd probably just kill my karma. Most likely, I would care if they got in to my iDisk account ... if I had one ... and a Mac ... and didn't do everything with DynDNS and SSH.

Re:Clear private data

[TheSkyIsPurple]

As I recall, the only difference between public and private in OWA is the length of the timeout... not its existence.

(Then again, that may just be our local policy)

Re:Clear private data

[stewbacca]

The worst thing that could happen if someone got into a /. account would be the burning of karma.

That's why I like to post as an anonymous coward.

Security Through Obscurity

[ookabooka]

podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple.

Ah, well, see, so long as Apple makes sure no knows about this, it won't be a problem. Surly everyone on Slashdot sees the validity of this strategy. (God I love my sig)

Re:Security Through Obscurity

[ookabooka]

If you are about to mod me down, keep in mind that this post was most likely sarcastic.
I hope this doesn't get modded informative.

Re:Security Through Obscurity

[PjotrP]

So you probably mean your sig is most likely sarcastic?

Re:Security Through Obscurity

[bealzabobs_youruncle]

The Apple discussion boards are for user to user support, very little chance of any intelligent discourse happening by leaving the post up. Just look at this site for examples.

Re:Security Through Obscurity

[ookabooka]

Yes, it's recursive sarcasm.

Huh?

[Yaztromo]

After accessing your iDisk in Firefox:

• Tools -> Clear Private Data"

In Safari:

• Safari -> Reset Safari

Or if you remember to do so before visiting .Mac's iDisk page:

• Safari -> Private Browsing

Problem solved.

So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.

Yaz.

Re:Huh?

[Shifuimam]

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.

Re:Huh?

[Moofie]

Seems to me that if you're concerned about security, you should think very carefully about using a public terminal.

Re:Huh?

[admactanium]

That's great and all, but it doesn't change the fact that (a) any web interface with confidential or private information should have an obvious method of logging out that doesn't require specific knowledge about how to delete cookies for a certain browser/applicationn, and (b) Apple is yet again ignoring and censoring users who are pointing out this flaw.

i agree. but fyi, i just did this with my own idisk account. if you quit the browser, then you cannot get back to the idisk interface without a password prompt. there should be a log-out function, but it's not as if it's impossible to end the session.

Re:Huh?

[Knuckles]

Of course its a toss up if an average user would use a log off button

That's why all bank sites I know log you out if you are inactive for a while. Seems like a good idea.

Re:Huh?

[MobileTatsu-NJG]

"Seems to me that if you're concerned about security, you should think very carefully about using a public terminal."

If the real world worked that way there'd be no guard rails.

Re:Huh?

[rastoboy29]

Dude.  You should know that this is far too arcane for the "average" user.

Frankly, "average" users shouldn't have to go out of their way to get good security.  We should be designing it into the systems we create for them to use!

Dammit!

Re:Huh?

[Haeleth]

So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.

Yes, if they're using a public terminal that provides Safari or Firefox. But how likely is that? Maybe things are different where you live, but I have never once seen a public terminal where the browser was anything other than Internet Explorer.

Problem unsolved.

Re:Huh?

[tedrlord]

The whole problem is that they're not concerned about security. Most security measures are because users aren't concerned about security. They get really concerned when they find out someone's taken all their stuff, but that's a different subject.

Anyway, as computer nerds, we're supposed to be concerned about computer security. Most people aren't. They have their own concerns. I'm glad that they're around to look after other things, so I don't have to be concerned about my bank running out of money, or my medication not being poisoned, or my car falling apart while I drive it, or all those nice other things that could be a really big problem if there weren't people making sure we were safe.

Anyway, a good computer security example is antivirus software. I stay the hell away from the stuff, it's slow and buggy and bogs down my system more than most viruses do. On linux, it's not an issue since security issues there are better handled by better configuration and monitoring, and on my windows box I just use manual system/network diagnostic tools to keep an eye on it and fix whatever's needed.

Does that mean I recommend the same to my friends? Hell no! I make sure they always run both a good antivirus and a firewall at all times. Otherwise they get viruses constantly. They just don't have the background to understand what they should and shouldn't do to avoid the things, not to mention the lack of skill necessary to deal with viruses as they come.

My friends aren't stupid (most of them anyway), it's just not what they do. They use computers as tools to get things done, and if they're not making it safe and easy to do the work they want, then the computers aren't working right. That's just how it is, and that's why services that allow people to use public terminals need to be built from the ground up to make it secure to use a public terminal.

You'd think Apple of all people (er, companies) would understand the need to make the right interface for different kinds of applications. Well, maybe I'm thinking back to the Eighties, way before their brushed metal/colorful candy era. If I had my way, they'd have canonized Raskin by now.

Re:Huh?

[Bearhouse]

Good advice for anybody accessing anything from anywhere via any browser. When finished, clear cache, delete cookies etc. Just common sense.

Re:Huh?

[eck011219]

All of that is true. But Apple has this whole "I'm a Mac" ad campaign that touts the ease of use of Macs for the average joe out there, but then does something like this where you need to know fairly deeply what's going on internally to keep yourself safe. To the typical user, if it's not on-screen, it's gone. They understand "log out," but won't understand that there are still scrids of their session left on a public computer even if the browser is closed.

Moreover, look at even the phrasing of the examples you give. Firefox is "clear private data" -- pretty straightforward, and you know what you're doing. "Reset Safari" is pretty cryptic by comparison -- it's fewer words (something Apple strives for, often rightly so), but it's far less descriptive of what's going on. Kind of a semantic version of the one-button mouse -- interestingly simple in theory, but it falls apart in practice.

But all of that phrasing business is almost beside the point -- what average MyMom user at a library computer is going to know to clear the browser's history and cache to log out of iDisk? One doesn't seem to have to do with the other. In this case, there simply needs to be a button to log out. I'm sure the Apple interface designers shudder at the thought of the added clutter, but so be it.

Re:Huh?

[v1]

The occurance of his post makes a great deal more sense if you consider the possibility that he's less technical than the "average user". That would explain why he's unaware of standard features. Sort of like a caveman complaining that a mouse is too complicated of a tool for the "average user" to be be expected to use.

Re:Huh?

[naasking]

You'd think Apple of all people (er, companies) would understand the need to make the right interface for different kinds of applications.

They did make the right interface. Fact is, this is not a security flaw. No, seriously. :-)

Re:Huh?

[anser]

The security problem is not that you can relog to iDisk without a password, it is that iDisk data remains in your browser cache.

Re:Huh?

[gordguide]

I must disagree with your conclusions as to what is more or less user friendly.

You probably just are not familiar with the applications. Both browsers are available for Windows and OSX and both work essentially the same for these particular options on both OSs.

If you're a Windows user and you're curious, you could download Safari 3 for Windows or FireFox 3 for Windows. In my experience people tend to prefer whatever browser they are most familiar with, so I don't expect any converts, but certainly you can find out more about a browser by using it for a bit.

FireFox's "clear private data" must be set up via a multi-step process. It clears private data after the browsing session ends.

Safari's "Reset Safari" also clears the same cached data, at any time during the session. People who are security-aware would restart the browser to end the session, but you don't have to.

Naturally, in either case the data remains on the drive; a proper secure erase is still required for true security.

"Reset Safari" is accessible with one click at: File: Reset Safari

Safari also has a pre-session privacy setting, also accessible with one click at: File: Private Browsing ... which doesn't retain the data in the first place. This is much better than just erasing pointers to data written to disk.

File: Private Browsing immediately precedes File: Reset Safari ... giving you two useful options: not retaining data or removing it if you forget to tell it not to retain the data first.

To use "clear private data" in Firefox is hardly "pretty straightforward" in comparison:

[Menu] FireFox: Preferences: Privacy Tab: ...
at "Clear Private Data tool ... " select [Settings] ... where you get to the place where this can be enabled. A number of checkboxes need to be configured, followed by clicking [OK]
You will also get a dialog when you quit Firefox asking you to confirm. At this point you need to specifically allow the removal of the private data or it is retained. If the browser or the OS crashes, if there is a hard restart, or you fail to quit FireFox for whatever reason, you won't see the dialog.

If you've set up Clear Private Data and you didn't get a chance to view the dialog at the end of your session and agree to remove it, you will get the dialog when FireFox is launched the next time. Needless to say, that doesn't help you if you're long gone from the Internet Cafe and someone else sees it.

Re:Huh?

[palmer64s]

Isn't that a browser security issue then? Hitting a logout button on a web site doesn't clear the browser's cache AFAIK.

I also thought that a web browser attempts to access the web site before loading from cache, so if iDisk is logged out, it wouldn't retrieve the data without a password prompt.

Re:Huh?

[MrAngryForNoReason]

"Reset Safari" is accessible with one click at: File: Reset Safari

I think the parent's point about "Reset Safari" is that the language used doesn't mean anything to the average user. It isn't obvious that it is a security option that would clear sessions and cached data. No matter how easy it is to get to if the user doesn't know what it does that doesn't help. "Clear Private Data" at least gives an idea what it will do although it can be argued that a non-technical user still might not understand.

As has already been stated many times in other comments the answer is to have a clearly labelled logout button as part of the web application, and a reminder to the user that they should logout when they are finished to prevent other users accessing their iDisk. Having a logout button in the main .Mac window isn't sufficient as a lot of users will close the main window when the iDisk window opens for them to work in.

Re:Huh?

[nine-times]

More to the point, I have problems with web applications that do have a "log out" button. Specifically, I hit "log out" and then re-enter the address that I was logged into, and I'm still logged in. I've had this problem with repeatedly with Microsoft Exchange 2000's OWA. I'm not expert enough to know what the problem is, but it seems like (depending on your browser), logging out of web applications isn't as simple and secure as we'd all hope.

Generally, if you're worried about security of your web apps on a certain machine, I'd recommend quitting whatever browser you're in, starting it again, and then clearing all the caches.

Re:Huh?

[palmer64s]

Good point, I tried the same with Yahoo Briefcase. I logged in with the public terminal setting (per session cookies), and even after I logged completely out of all Yahoo services, cleared the cache, quit and restarted the browser, I could still retrieve a file from Yahoo in the history buffer.

I guess the moral is to always clear History on a public terminal.

Re:Huh?

[gordguide]

" ... I think the parent's point about "Reset Safari" is that the language used doesn't mean anything to the average user. ..."

Maybe. But it's right there in the main menu:
File:
Private Browsing ... followed by:
Reset Safari ... followed by
Empty Cache

If you click on Private Browsing, you get:
Are you sure you want to turn on private browsing?
When private browsing is turned on, webpages are not added to the history, items are automatically removed from the Downloads window, information isn't saved for AutoFill (including names and passwords), and searches are not added to the pop-up menu in the Google search bar. Until you close the window, you can still click the Back and Forward buttons to return to webpages you have opened.

[Cancel] [[OK]]

Clicking on: File: Reset Safari gets you this dialog:

Are you sure you want to reset Safari?
Select the items you want to reset, then click Reset. You cannot undo this operation.
X Clear history
X Empty the cache
X Clear the Downloads window
X Remove all cookies
X Remove all website icons
X Remove saved names and passwords
X Remove other AutoFill form text
X Clear Google searches
X Close all Safari Windows

[Cancel] [[Reset]]

Clicking on: File: Empty Cache gets you:

Are you sure you want to empty the cache?
Safari saves contents of webpages in a cache so it's faster to view them again.

[Cancel] [[Empty]]

Now, all this is also available from the Help files, so there's not much excuse for not knowing what to do. And, as is the norm with long-standing Apple User Interface guidelines, you cannot do something dangerous without being given a chance to back out.

Having used Windows for many years, I can understand if Windows users never use Help, since Microsoft's help is often less than useless. Apple's OSX Help is much better, and OSX's help is not nearly as good as the Help in the old Mac System 7.5~OS9, the likes of which we probably will never see again in a mainstream OS. Which is a shame.

But, It goes against all evidence to suggest there is anything easier or more intuitive to the Firefox methods of doing the same things, and I know for a fact that FireFox (Mozilla) doesn't explain what is going to happen next nor does Mozilla's Help system get many points for clarity.

As for the rest of the admittedly on-topic discussion (login button or method) it wasn't part of the post I addressed.

But, since you bring it up I'll be happy to give my 2 cents: for me, it's a non issue because I never access the iDisk from the web and I don't know why you would want to when it's easily accessible from the desktop. And the very same issues the original post is all about plague all WebDAV access via all browsers in all OS's.

another security aspect

[pwizard2]

Is the iDisk connection encrypted, or is it wide open?

This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)

In other news...

[Dieppe]

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

Re:In other news...

[ColdWetDog]

Slashdot editor kdawson and Slashdot submitter deleuth mysteriously disappear...

I don't know about M. deleuth, but if Apple's Reality Distortion Field(R) can make kdsawson disappear, I'm buying another Mac. Maybe two.

Re:In other news...

[Pop69]

I'd buy a truckload if they could make Zonk go as well !

Re:In other news...

[GreyWolf3000]

*Cough.* Michael. *Cough.*

I'm very sorry...I seem to have something stuck in my throat.

That's interesting

[Auckerman]

I've never noticed that before. Probably because desktop WebDav on OS X is so slow that I just use dedicated client apps. The poster isn't being perfectly clear on the whole process for accessing your iDisk via dot mac. Here's how it goes. You sign into dot mac, then you sign into your iDisk. Same username, same password for both. You get a web page that access your WebDav folder on Apple's servers. Signing out of dot mac doesn't sign you out of the iDisk. A simple history check pulls it right back up with full write access to your iDisk (clearly not from web cache). No one would expect that behavior. I would assume there is a network idle time out, as dotmac has.

In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".

Though, the extra publicity will help.

Re:That's interesting

[Shifuimam]

There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem

...then a much more customer-friendly way of handling such a thing (if that's what really happened) would be to post that the problem is being looked into, and lock the thread so that customers are aware that Apple isn't censoring them. At this point, it just looks like Apple's pulling the censor-ignore-and-run method of "customer service" that they have certainly been guilty of in the past.

Re:That's interesting

[Auckerman]

The problem here is, they have an arguably bad forum policy. I agree, but that has nothing to do with their security policy. There are ways, that they aren't doing, to make this not a problem immediately. Like removing iDisk over web functionality until a fix that doesn't hose their server farm is tested and in place. They probably haven't done this because there is very little chance this is going to be a problem, since the series of events required for your iDisk to be compromised are incredibly unlikely. In real human terms, this really isn't a big issue, even though it definitely should be fixed immediately.

Re:That's interesting

[martinX]

From what I've seen of a few similarly-handled issues, once this information becomes public, they'll pull forum posts and then work on fixing it (if they're not already).

If you have a bug report, Apple asks that you submit it via the usual channels. They don't, however, respond to these.

I'd imagine (and it is only imagination, since I'm not SteveJ or anyone who works for him) that they don't routinely respond to bug reports posted online because there's a helluva lot of "bug reports" posted online (in italics because the 'bug' may be simply user error, not Apple's fault or just really minor stuff) and responding to every single one may look good but may bog important personnel down in trivialities.

Deleting them stops the noise, while allowing signal through (to Apple) and hopefully allows Apple to get things done.

Perfect? No. But probably an OK way of handling things, given the number of false positives (not really bugs) to true positives (real bugs like this one).

Re:That's interesting

[stewbacca]

They may have a bad forum policy as far as removing contentious points, but the end product is for the better. When new Mac converts go looking to figure out how to do something on their mac, they don't have to wade through hundreds of threads planted by trolls and haters.

Re:That's interesting

[stewbacca]

Not taking away from the supposed seriousness of the problem, but using .mac isn't the ONLY way to login to iDisk. I would suggest that it isn't even the main way (for anyone using a Mac for more than a few years). You don't even need a web broswer, as you can mount your iDisk to the desktop of any Mac connected to the net (through the finder). When you are done, you simply unmount the drive (drag to trash, choose from a menu, right click and choose). As usual, there are lots of ways to accomplish something on a Mac, but the detractors always focus on the one that is most offensive to the geek culture.

When Will Apple Learn

[numbsafari]

I am an new Apple user. And reasonably happy.

However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".

PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.

Re:When Will Apple Learn

[noewun]

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes.

I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates.

Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.

Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

Re:When Will Apple Learn

[mr100percent]

I disagree, Apple has responded quite well, building in access control systems, program app exceutable digital signing, sandboxes, Address Space Randomization, Input Manager Restrictions, Filevault encryption, etc.

Apple hasn't experienced a real virus outbreak, but they thought ahead to implement these features before anything has happened. They beat Microsoft in many of these areas.

Re:When Will Apple Learn

[Auckerman]

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.

Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

You are incorrect in so many ways, I find it hard to begin.

1. There is no proof what so ever that Apple's install base is the reason Macs are more secure than Windows. Having network servers off by default and having a default web browser that doesn't run code written in C++, visual basic, and whatever the hell else ActiveX supports these days to be FAR more important than the install base. There are reasons that in the past, if you took a Windows computer out of a brand new box, hooked up via a DSL or Cable modem that your machine was hacked before you were finished logging in for the first time, and it isn't because of the installed base (you do remember that don't you). The Windows machine has active network servers running.

2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. If you don't like their update schedule and want Apache or whatnot to be running up-to-date you can install from the CVS just like the Linux and BSD people do. To me it's like saying Red hat doesn't respond rapidly to security holes. If you want a day zero fix, update from CVS. For the common user all of this is irrelevant, since their default install isn't listening to network traffic. Apple has also included other under the hood improvements, just like all other venders, to minimize the risk of buffer over flows.

I'm sorry, Apple's not walking some kind of security minefield just getting lucky all the time. Just like Linux isn't. Unix style security just works very well and is easy to manage. Your computer isn't magic, there's a reason why Microsoft's operating systems are getting owned all the time. There are a LOT of reasons for this, most of them boil down to bad default installs and the environment Microsoft has created within it's developer community. An environment that fosters laziness and has typically done very little to stop their bad practices. Things like making applications that require the admin to be login in order to run. Which in turn leads to the floor level tech just giving everyone admin access.

You computer is not made of magic, there are reasons Microsoft's operating systems suck and people complain about them and it's not because they are "not Apple and have a small install base".

Re:When Will Apple Learn

[Nimey]

profolactic Prophylactic.

Re:When Will Apple Learn

[dhavleak]

2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. lol. That's easy to do. Keep deleting posts on the issue until you release a fix.

I think ppl are missing the point. If .Mac has a security flaw, and somebody posts that flaw, at least the information is now available to users so they can now take defensive measures (don't use .Mac, or don't let people use your machine without logging in as guest, or something along those lines). Apple should be responding to the post with guidance on these workarounds until a patch is issued. i.e. they should empower users instead of deceiving them.

I don't understand how corporate structure, support monkeys etc. are relevent. Everyone agrees Apple has a well-documented history of deleting posts of this nature -- this is a deceptive practice and they should not be doing this. If this was any other company court cases would already have been filed. Only Apple users are this forgiving.

Re:When Will Apple Learn

[MobileTatsu-NJG]

"I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates."

To be fair, this is so silly that it should never have been a security problem. This shouldn't be measured by how quick they fix it, but rather how long they let it last.

"Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits."

I don't think you entirely got his point. The less an exploit is known, the more dangerous it is. Microsoft wouldn't get away with this, Apple shouldn't either.

Re:When Will Apple Learn

[wish+bot]

Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives?

I'm not sure you comprehend what it takes to engineer something like a Macbook, or even a MacPro. Saying they just choose the components is like saying I just choose the steel when I design something like Southern Cross Station. It's a >little more complex than that. They certainly do engineer their own motherboards, spec the components that make them up, and write all the drivers for they kit they use. Just because they use Intel procs these days doesn't mean their kit is a bunch of parts at the local compumart. If you've got a Mini I thought you might understand that - try building one of those yourself ;-)

Re:When Will Apple Learn

Fair point, but they are still choosing system-level components and laying them out. They would be stupid not to. Perhaps they even have a couple engineers laying out motherboards.

I guess my point was that what they do is make good decisions--that's much more significant than any minor layout tasks they might do. I've worked for a few companies that had engineers working at creating their own chip designs, board layouts, etc. Although it can be "Engineering", it's not particularly hard. (By Hard I mean unproven, how can this be done, etc). Hard is writing a multi-threaded OS core--they can't (and were smart enough to realize that). Hard is trying to get hundreds of video cards to work, taking advantage of the particulars of each different card.

Here's a good hard problem--as an OS vender, create a system and spec that allows two different companies with no knowledge of each other to write applications in such a manner as one might embed itself in the other, allowing in-place editing of the embedded document (switching appropriate UI elements to those of the embedded program as needed). This is virtually impossible, Microsoft tries to do crap like this and gets to the "Functional Demo level" while pretty seriously degrading the stability of the system go do so.

At all these hard problems Microsoft just piles on the engineers, gets some limited success--in many cases at the cost of system stability.

Apple doesn't even try. They know where their strengths lie--they are pretty much a system integrator. Okay, maybe not like Joe's custom computer, but they certainly show no more technical skill than Dell or any laptop maker. (Except, as I said, they write a serviceable X-windows replacement.)

By the way, by far my favorite things that apple did, any one company could have if they tried hard enough, but nobody ever has:
      Make a laptop where suspend WORKS repeatedly, without ever degrading
      Make a desktop/laptop that is dead quiet unless it absolutely needs the power
      Looks cool (hell, I bet 40% of the engineering staff is set to this task, they should get it right)

Hmm, thought the list was longer...

Re:When Will Apple Learn

[jcr]

Don't they just order and piece together hardware just like joe shmoe's computer shop would?

No, they don't. That's why the MacBook Pro is thinner and lighter than machines from other vendors with comparable performance specs, for example.

-jcr

Re:When Will Apple Learn

[croddy]

Actually, it's been a dead heat between Linux and OS X for close to two years now.

Re:When Will Apple Learn

[apoc.famine]

Of topic, but I'm somewhat curious: What determines if you have to enter a CAPTCHA to post? I've never seen one, so I'm guessing it's either new or low karma accounts. Anyone know for sure?

Re:When Will Apple Learn

[Jeff+DeMaagd]

Safari for Windows had several big security holes exposed the first day, despite being, as their promo site says "Built with security in mind from the ground up". That did not inspire confidence. Quicktime has a few security holes a year that need to be patched, and a couple of those security holes have caused problems with Myspace and Second Life. I recall it took a two or three months for Apple to address the one that bugged MySpace.

I'm not sure how programming in Objective-C is safer than C++, but I don't know the very guts of both to see the difference, just enough to make programs. It doesn't look like Obj-C really slows down the writing of insecure code to me.

Re:When Will Apple Learn

[TomHandy]

OS X is more than just a "serviceable X Window replacement".

And Apple does more than just pick components to cram into a laptop. The MacBook Pro, for example, was designed from the ground up by Apple, and does feature custom designed internals - yes, obviously some components are standard (the CPU, GPU, etc.) but the motherboard, etc. is original.

If the MacBook Pro was just a bunch of off the shelf components, there would be a lot more 1" thick 5.4 pound laptops out there.

Re:When Will Apple Learn

[NMerriam]

I don't think you know very much about Apple history, or the design effort they put into their hardware and software.

For example, your "Apple doesn't even try" example was called OpenDoc, and it was hardly a secret.

Re:When Will Apple Learn

[99BottlesOfBeerInMyF]

However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.

Apple is a mixed bag when it comes to security. They have employees they acquired from other companies specializing in Web technologies, graphics, video, and numerous other topics, as well as old-school Apple employees many of whom do not take security seriously enough. On the other hand they have all the Next employees and all the old-school Unix guys they've hired on to manage the guts, who live and breath security. As a result, in some ways Apple is way ahead of the game for security (like with their new sandboxing and signing frameworks in Leopard) and in others they seem oblivious. I can't think of another consumer desktop oriented OS that ships with so few services running, and with almost all of those sandboxed. Then you get to other things Apple, like some of their userland applications and Web services and you wonder that the same company could produce both of them. Apple is pretty schizo in this regard.

Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.

I disagree. Apple is a juicy target for exploitation for many reasons. They are less likely to be exploited due to a number of market and social factors, but in general, Apple's security has been fairly sound and that is why they are not worm food. Further, I don't see Apple's security record becoming poor in the future. Apple, Linux, Solaris, etc. all have one major thing that will keep them more secure than Windows is today... motivation. If Apple's security starts to fail for their users, Apple loses money as they move away. Thus, Apple has direct financial motivation to fix the problem, and they will. This is the advantage of a free market. Microsoft, however, has a monopoly, so even when their users are screaming out for better security, MS loses very few, if any, if they ignore their customers and focus instead on locking in a new market and this latter action will make them more money. They have direct financial motivation to do little more than provide the appearance that they are doing something security-wise, and that is what they keep delivering.

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.

Here is my experience with Apple's security response. My co-worker found a potentially exploitable hole in OS X. He went to Apple's Web site and reported it as a security bug in the bug report section, not commenting the forums that are for users not Apple employees. Apple sent him a message a few days later saying they'd look into it. A few weeks later the next security update for OS X came out and fixed the problem, including crediting my co-worker with discovering it. It was painless and quite rapid for that large of a project, considering the time for research, coding a fix, testing, and rollout, in fact a lot faster than our average response time to that same priority of bug (and we sell much more critical security devices). From everything I've seen, Apple responds fairly quickly to security issues reported to them and the only instances where there are major problems are where researchers refuse to give Apple details before p

Re:When Will Apple Learn

[99BottlesOfBeerInMyF]

Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives? They might make the cases, I doubt they make the power supplies.

Apple is an OEM like Dell or actually, more like Sony. Most of the components they use are standardized, but they do have motherboards designed just for them, they design how all the components go together, which ones to use, and what the required specifications (acceptable failure rate) are. Not all machines are created equal in this regard. Just take a look at the percentage of machines returned due to failed hardware that consumer reports publishes each year and you'll see Apple at the top of the list, closely followed by Sony, Lenovo and (surprisingly Dell this year as they've managed to turn around their laptop manufacturing, although not desktops). Other vendors have up to five times the percentage of hardware failure.

So they made a good OS? Naw, they made a darn good windowing system to replace X though. Of course, all the concepts were out there--nothing technically groundbreaking.

They (or Next who took over Apple) made a lot more than the windowing system. They made the kernel, the APIs the filesystem, the services framework, much of the userspace apps and daemons, and don't forget openstep. As for the graphics, well a PDF (vector) based windowing system was certainly ahead of it's time, although the networking capabilities were retrograde.

So what does Apple actually make?

They make the software, minus some pieces where they share development with the OSS community. They make the hardware.

They restrict the hardware which must avoid thousands of "little annoyances" PC users see (like laptop suspend being flaky).

Ummm. The flakey driver annoyances are always a problem for the hardware vendor, not the OS vendor. MS doesn't write drivers for Dell hardware, Dell does. Each OEM is usually responsible for getting drivers together and each OEM supports a subset of hardware, just like Apple.

They let someone else create the multi-threading OS kernel for them because that's hard.

Mach? Mach has been so remade by the Next engineers that it is pretty much their baby at this point. When Next was acquired by (or acquired) Apple they remade it further making it more monolithic and they've been reworking it ever since. Apple certainly does their own kernel.

The other thing they bring is a lot of people who grab onto anything that they can latch onto to make them appear different--the VW bug, iPod, blackberry...

How does an iPod make one appear different? They make up nearly 70% of portables.

...security-wize, but if they ever start doing any ground-breaking work, they will most likely start seeing some serious problems.

You mean like being the first desktop OS to implement an SELinux style mandatory access control system by default and use it to sandbox services? The verdict is still out, but they seem to have done a pretty kick-ass job with that one so far. Apple has a lot of really good security people from Next and from BSD and other UNIX backgrounds that have been hired into the company in the last five years. Some of them do some solid, cutting-edge work. Apple's problem is that they are such a mixed bag when it comes to engineering, a lot of the userspace and services people are at the opposite end of the spectrum and don't think about security at all. Still, Apple is ready and poised to kick some serious butt when it comes to security enhancements, when and if, security ever becomes a real problem for the majority of their users. They are also getting a lot of free testing and fixes from the community, since so many people in the computer security industry are now using OS X on their own system

Re:When Will Apple Learn

[ToasterMonkey]

What exactly do you feel they're unprepared for?

You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. I don't have a clue what they really or apparently are doing internally in regards to security, could you explain?

Apple apparent arrogance and ignorance when it comes to security. Forum admins deleting posts from their own forums because they don't belong? No, really, I'm completely guessing, what's so apparent here about their security?

The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. How??.....????!!! I'm not going to suggest you're right or wrong. You're saying some incredibly symbolic stuff here, with the 'vertical integration" and the 'crashing down' and all, so why don't you follow this up with um.. proof of something?

Just looking out for the best interests of the public here, nothing personal. I'd like to know 'what' I'm supposed to be afraid off before I start hiding under the covers, that's all.

  I'd love to hear your reasoning. Thanks.

Re:When Will Apple Learn

[landonf]

I see no proof of this. Apple responds relatively quickly to security holes and releases regular patches and updates.

Well, yes and no. Apple *is* very good with many security issues, but here are a few counter-examples off the top of my head:

• CVE-2007-2788: Integer overflow in the embedded ICC profile image parser in the JDK. Unpatched for over a year.
• CVE-2007-0243: Buffer overflow in the Sun JDK GIF parser. Vulnerability was made public on January 17th, 2007, and was unpatched until December 13th, 2007.
• CVE-2007-5232: When Java applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections. Released October 5th, 2007, unpatched until December 13th, 2007.

Apple is not operating at 100% all of the time. In the case of these Java updates, some potentially serious issues sat unpatched for a good long while.

Re:When Will Apple Learn

[Auckerman]

You clearly didn't understand my post. You can code for activeX in C++ (along with several other nonsandboxed development environments) and then have that C++ program running over inside the web browser with local user privledges. They did this for internal business networks who, to varying levels of success (usually little to no success), have security rules set up that try to prevent unwanted code from running over the browser. Then they leave that "feature" on for home users, who get owned by random nefarious sites which are set up to create botnets. The ability of IE to run code in a web browser as if it were a local application is why IE is terrible and will NEVER be secure. If you understood how Windows operates in the context of how all other operating systems operate, you would understand why Windows get owned so quickly.

Re:When Will Apple Learn

[numbsafari]

I'll respond to the last part of your post since you think its something "the public" should be concerned about...

Basically it's this: the value proposition (as I see it, I'm fully expect others see it differently) from Apple to me as a consumer is that the provide a full range of computing devices and services for both work and entertainment that encompass a very broad spectrum of my lifestyle and that are integrated in a very nice manner. This is what I mean by "vertical integration". Everything in their "ecosystem" is integrated and is engineered to work together. Without getting into a big debate about Microsoft, let me just say that they are a lot like Microsoft except for this one fact: their suite of products is more complete and Apple exerts much more control over all the moving pieces in an effort to produce a higher quality overall solution.

It's that integration that makes Apple's products more valuable. That's what all their design effort really goes into. That's where it pays off.

There have been a number of recent articles/debates/discussions/etc. concerning the idea of a "monoculture" primarily as it relates to Microsoft. The general argument goes that since we all depend so much on Microsoft products then a serious flaw in those products could result in a serious "doomsday" scenario for all of us. Botnets are a great example. However, a similar problem faces anyone using a high integrated system that is sourced primarily from one vendor. Sure, it doesn't have the same cultural/social significance as flaws in Microsoft products. But for the individual/corporation/group who is invested in that technology, it does pose a significant threat.

So, the issue for Apple, as I see it, is that a security vulnerability that can be used to attack that highly integrated system could result in a dangerous situation for that individual. This is entirely hypothetical.. but, go with me.. a flaw in the .Mac security that prevents a user from logging out of their iDisk in an effective manner (this is really just an issue of UI design and one that, I agree with those who post above, is questionably solely an Apple problem or even an iDisk problem and more likely a browser design issue) could potentially grant someone access to their iDisk... if there were a further flaw that would let me manufacture access to your overall .Mac account and from there access to your personal information I could then steal your identity. Or perhaps download incriminating pictures of you that were backed up from your iPhone. Or change your password and security questions so that you no longer have access to your account. Or perhaps even then exploit that .Mac or iDisk access to connect to your machine at home via "Back to my mac" and trash your harddrive and then delete all your iDisk data.

As all these things become connected, they all become interdependent. Interdependence is good because it creates value. But it's also poses this problem that dependent systems are just that, dependent on each other. One's failure could mean the other's failure.

So, that's my reasoning there.

Also.. if you don't see the connection between a policy of secrecy and disinformation on even the most pointless of issues (related to security or not) and overall security... I don't know that I can help you. I would think everyone who reads /. regularly knows the inevitable results of pinheaded, PHB corporate behavior.

I don't mean to single Apple out in any way. I really do generally enjoy their products and they have been lovely to deal with from a support perspective when I have had to do so. However, I think I am not alone in my rational concern over this type of behavior and what it means for them overall. The irony of their 1984 ad campaign and this pattern of behavior is not lost on me.

I can like Apple and be disappointed by them at turns as well, thank you very much.

Re:When Will Apple Learn

[numbsafari]

Damn!

As soon as I hit post I realized my stupid mistake.. I was hoping someone would post the fix... :)

Re:When Will Apple Learn

[arminw]

....However, as its market share and mind share expands, this period of respite will soon fade........

Apple's market share has been expanding for a while now. That prediction of dire malware for the Mac infesting every Mac has been parroted again and again, with increasing frequency. I personally am quite sick of it, in view of the FACT that nothing has happened in all these years. There are MILLIONS of Macs out there, Surely someone, a super smart hacker would have come up with SOMETHING by now to infect a large number of Macs. Yawn, wake me up, when 10,000 or more Macs, or even a few hundred, fall victim to some super smart, super virulent, self-propagating malware. Stop making such a mountain out of a molehill about some obscure flaw, where someone fails to log out of a Mac that isn't even their own.

Re:When Will Apple Learn

[Ilgaz]

"Feedback" form is for people who (like me) to say "Leopard is awful, you shipped it too early". :)

Actual thing is http://bugreporter.apple.com/ , "New Problem" "Security" from drop down menu.

He seems as an advanced user/developer and yet uses the "Feedback" form. Than posts to public forums ignoring their policies punishing those non techie .Mac users.

Here is the complete open Mozilla project security issue reporting guideline
"IMPORTANT: Anyone who believes they have found a Mozilla-related security vulnerability can and should report it by sending email to the address (removed) @mozilla.org. For more information read the rest of this document."

It doesn't say "Post it using feedback form, if you don't get any response, use mozillazine forums to post it to public and when it is deleted, post it to slashdot" :)

Re:When Will Apple Learn

[nine-times]

I don't know why you think Apple's security is so awful. The base of the OS has strong roots (based on NetBSD/FreeBSD, both very secure), and they haven't had much of a history of viruses, malware, or other huge security breaches. And it's not that people aren't trying. Loads of people hate Apple for various reasons and would love to see a virus or hack destroy Apple's claims to creating "secure" products. It's just that no one has succeeded yet in making a big splash.

Re:When Will Apple Learn

[stewbacca]

Nice post new Apple user, but as a long time Apple user myself, I'll start worrying about your "sky-is-falling" scenario once it actually starts happening (if ever). Twenty years on and I'm still waiting...Call me arrogant if you must, but I'll continue to live in my arrogant and ignorant world, because it's done me well thus far. I "think" Macs are well enough mainstream that there would have to be a least a small pocket of hateful geeks that would love to hack the hell out of OSX. The problem is they exist, but they just aren't having any success.

Re:When Will Apple Learn

[ToasterMonkey]

I see where you are coming from now, but I don't understand how you are relating Apple's vertical integration to the problems associated with a Microsoft monoculture (a horizontal issue). Where Apple has extremely good integration, there isn't exactly firewalls in the alternatives (verticals). After all, malicious software can just as easily propagate from a web server, steal pictures from your iPAQ backup, and email/IM them to all your contacts.

Integration is most useful (and secure) for individuals when done in a vertical manner. A security vulnerability exposed horizontally across a large monoculture is still a primary concern, a vertical monoculture is secondary. That being said, OS X isn't devoid of any internal security devices. The keychain and strong Unix foundation are excellent examples of defense from vertical attacks.

So, what's your solution for secure vertical integration then? I hope you don't think antivirus software is it.

Also.. if you don't see the connection between a policy of secrecy and disinformation on even the most pointless of issues (related to security or not) and overall security Sorry, I don't see the connection between "a policy of secrecy and disinformation on even the most pointless of issues, not related to security" and overall security. Are you referring to their upcoming products or features?
As far as secrecy regarding security, how is Apple different from anyone else? Can you find a vendor that does encourage discussion of either previously unknown or undocumented security vulnerabilities in their own public forums?

I can like Apple and be disappointed by them at turns as well, thank you very much. No need to get defensive, I hear you there. I'm just unsure how you think things should be different, or how Microsoft's lack of vertical integration somehow improves their security situation. Honestly, I only understand your complaints from a theoretical point of view. Sure, I can think of better security measures for all concerned, but I don't see any real cause for concern for Apple software users at the moment.

Re:When Will Apple Learn

[ToasterMonkey]

Sorry, I understand you didn't mean to single out Apple for the secrecy about security issue, but I got caught up in the moment. Yes, just because all the other boys do it, doesn't mean they should. ;)

I'd still question whether other methods of handling vulnerabilities would be all that much better (for all involved) than the industry standard methods of secrecy and public disclosure AFTER a fix is available.

Just another hit against Apple...

[Shifuimam]

Yet another incident where Apple blatantly ignores the customers they claim to value so much...and they will likely continue to do so until there's such a shitstorm about this that they have no choice but to respond. Apple used to be a good company...ten years ago. Now they're just as bad (if not worse, in many regards) as every other IT giant out there. Sad.

Re:Just another hit against Apple...

[megaditto]

Why is that? Did they change something 10 years ago to make them different?

Personally, I just don't expect a publicly traded company to look out for me (unless I am a shareholder, but even then...)

Re:Just another hit against Apple...

[naetuir]

Do you have any of those pesky things known as "facts" to back that comment up?

I, for one, would never have used a Mac before OS X came out. Their rewrite to place themselves on a BSD kernel is what got them a lot of converts fromt he *nix community (I'm one of them). Mac OS 0 was basically only useful for those that wanted a powerful graphics/video editing system. Not to say that was the only thing they could do, but the cross platform capabilities only started really showing up in the OS X era (which is what makes the system viable now).

So, if you mean by writing an OS that appeals to a much greater market share (read: customers) and giving them what they want (iLife, something that just works, et al) shows that they 'ignore' their customers and that they are worse (in your eyes) than every other IT giant out there, absolutely.

Don't get me wrong. They have their share of flaws. Vendor lock in is my biggest complaint. But... This "Apple doesn't listen to their customers" thing? Sounds like a heavy dose of FUD to me.

Re:Just another hit against Apple...

[The+One+and+Only]

Why is that? Did they change something 10 years ago to make them different?

Their entire management team. Jobs et. al. only took charge in 1997. Mac OS X came out in 2001 after years of development under the new management.

How many people actually use iDisk?

My mother uses a Mac so I was interested in making sure she doesn't get pwned. I never heard of iDisk so I checked it out.

.Mac iDisk lets you store, access, and share large files with drag-and-drop simplicity. And with ample online storage, even huge files are no problem.

It sounds neat but mom isn't going to use it. My way to do the same thing is just to ssh to my desktop at work and do whatever. So, I wouldn't use something like iDisk. It is also neat that you can share large files with your buddies. otoh, people can share movies online without iDisk.

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

Re:How many people actually use iDisk?

[admactanium]

So, my question is, how many people actually use iDisk? How much of a problem is this actually.

actually, i use it all the time. it's a very convenient way for me to let clients download files. i have a hosting account with a traditional host as well, but i never went through the trouble of making/figuring out a nice-looking interface for my clients to use. with idisk i throw them into the public folder, then log into the web interface to set-up/edit their download page. obviously, this isn't great for confidential information, but i rarely deal with stuff that sensitive. i also host one of my personal websites on .mac. i will say however that i don't use the finder's idisk implementation nor do i manage the input/output of my files on the web. i just ftp into my idisk and then deal with the interface afterwards. ftp is much faster than the native interface. but i do find idisk to be really convenient in my particular case.

Re:How many people actually use iDisk?

[stewbacca]

Except iDisk makes it possible for people like your mom (i.e., have no idea what ssh means) to do what you do when you ssh to your desktop. That's iDisk's sole purpose in life; to marry a powerful geek function (ssh) with something most common people know how to do (browse the web). And geeks who are too full of themselves take offense to Apple's simplification..which is the whole reason geeks generally hate Macs.

Your .sig

[Knuckles]

Free means no restrictions

Your basic premise is wrong.

The Cult of the Mac

[urcreepyneighbor]

If you suppress bad news, it doesn't exist!

Re:The Cult of the Mac

[DigitAl56K]

Oh the irony, I wish I could mod the guy who modded you -1 Troll +1 Funny!

Re:quix fix

[Mathinker]

Didn't you skip

step 0. Boot Linux from USB.

?

Assuming firefox will only use ramdisk for it's cache, of course...

Wait, what??

[Khyber]

No SSH session for transmission of personal data, and reliable logout for protection? Insane security practice from a now UNIX-certified OS vendor, especially when it comes to something so private as the transfer of one's hard disk contents to an internet backup? Ah well, it was bound to happen, and it has probably happened in the past, and will likely happen again in the future. Anyone can slip up.

Re:Wait, what??

[tomtermite]

Dot Mac is a WebObjects application (more likely a set of WebObjects applications). Closing the browser ends the session; in addition, the session key is unique (and Apple is using re-writes to make the session key less discernible) -- i.e., the page is session specific.

As for SSL transmission, the login is SSL (this is the form submit from the login page):
https://www.mac.com/WebObjects/Welcome.woa/1204/wa/authenticate?cty=US&aff=consumer&lang=en

FInally, there is a LOGOUT link on the right side of the web interface for Dot Mac -- clicking that terminates the session. So this article needs to be looked at again...

Re:Wait, what??

[tomtermite]

Yikes - my bad. The dot-mac logout DIDNT terminate the webdav session!!

Apple -- hire Bluedog to fix this!

No, incident does prove Apple is lacking ...

[AHumbleOpinion]

Huh? You seem to have conflated their corporate policy, which is sometimes very stupid, with their security policy, which is generally good. The two have nothing to do with each other. Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits.

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

Re:No, incident does prove Apple is lacking ...

[Trillan]

You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right?

Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.

Re:No, incident does prove Apple is lacking ...

If you have an ADC account (it's free) you can submit via bugreport.apple.com

Feedback never gets a response from what I have heard, but is listened to. Look at the new feature in the latest Garageband update for example.

As for the forums, they say quite clearly they are for user to user technical support, not discussion of policies.

Re:No, incident does prove Apple is lacking ...

[noewun]

You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.

How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind. Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. They may be working on a fix already. They may not. They may roll it out in a week. They may not. And an article may appear tomorrow which proves that this security "flaw" was vastly overrated and is not that serious.

If you wanted to critique Apple's security prowess you could compile a list of known security flaws, with their severity and a list of how long it took Apple to patch them. That would be a logically constructed argument. However, this is Slashdot, so I won't hold my breath. This is the same lax "logic" which leads to a lot of the Microsoft bashing around here, and it looks stupid no matter which way it's pointed.

Re:No, incident does prove Apple is lacking ...

[AHumbleOpinion]

How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind.

You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.

They may be working on a fix already. They may not. They may roll it out in a week.

That may be timely for a software update delivered to end users but it certainly is not for a web page and server side glue.

Re:No, incident does prove Apple is lacking ...

[eyeye]

I've had to reboot my macbook pro twice in the last couple of weeks because of new versions of quicktime to fix security flaws, it's 51Mb each time and I don't use quicktime at all. I could stomach it if it didn't require a reboot. How did they couple a shit buggy media player so closely to the OS?

Re:No, incident does prove Apple is lacking ...

[Tim+C]

The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy.

No - but not putting a log out button on a protected web resource does mean that they are either lax or lazy. I have no particular antipathy towards Apple, but that's just plain dumb. Even if the flaw isn't serious it certainly *looks* bad, and violates established practice for web applications.

Re:No, incident does prove Apple is lacking ...

[wish+bot]

The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.

Re:No, incident does prove Apple is lacking ...

[fastest+fascist]

Good lord, what kind of a dresscode do they enforce at Apple?

Re:No, incident does prove Apple is lacking ...

[kelleher]

Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. Wrong - it means exactly that.

If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

Re:No, incident does prove Apple is lacking ...

[Hal_Porter]

Good lord, what kind of a dresscode do they enforce at Apple?

Scene?

Re:No, incident does prove Apple is lacking ...

[solitas]

I've used the same email address too - and while I haven't received a personal response I have a vouched-for 'friend of a friend' who works there and she _was_ able to check it out and found that my email _was_ read and considered.

Her response _also_ repeated the point that Apple (quite naturally) prefers receiving bugreports through the proper (secure) channels and not having to cull them from unrestricted forum postings.

Re:No, incident does prove Apple is lacking ...

[bigstrat2003]

Yet has nothing to do with it. That logout option should've been there from day 1 of *writing* the damn application. Common sense says: if you have a log-in, give the user the option to log out. Apparently some team at Apple lacks (or lacked) common sense.

Re:No, incident does prove Apple is lacking ...

[NMerriam]

If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

There is a well known and well understood process, it's called bugreporter.apple.com. The process does include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.

What you're complaining about is that random forum administrators don't have the responsibility, time or technical ability to personally evaluate every forum post for whether it contains a bug or a security flaw as opposed to a stupid user error.

Re:No, incident does prove Apple is lacking ...

[NMerriam]

You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.

Or it indicates that user forums are not the place to report security flaws, and that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers. If you think every forum post should simply be echoed to the bug tracker, that's your prerogative, but it seems to be a great way to waste a lot of the qualified bug-squashers' time.

Re:No, incident does prove Apple is lacking ...

[kelleher]

You just don't get it. Either security is a corporate priority - then all employees (even forum admins) are educated about how to handle reported security issues - or it's not. It's that simple.

Now stop acting like a brainless fanboy and think a bit.

Apple screwed up.

First they deployed an internet based service without a proper security review (or had it reviewed by less than qualified staff). And second, when it was reported they (sorry, but the forum admins do speak for the company - in this case perception equals reality) deleted the reports instead of providing helpful information and an eta for the fix.

Now it's time for you to say it. Go ahead, say "Apple screwed up." Admitting you're a fanboy is the first step of recovery. It won't hurt you or Apple - I promise. But it will lift up the rose-tinted glasses you're wearing.

Re:No, incident does prove Apple is lacking ...

[NMerriam]

Apple's .Mac team screwed up by not offering a logout button. Apple's forum team did not screw up.

Forum administrators are not required to have the technical skills to evaluate which posts could be a genuine security issue real and which ones are user error. The secretaries answering the main switchboard don't have that capability, either. Their delivery truck drivers don't have the ability to evaluate security issues. Neither do the guys who clean the toilets. If you really believe that security is a corporate priority that literally any externally-available person should be responsible for, your company must have the most highly trained garbagemen on earth.

Re:No, incident does prove Apple is lacking ...

if forum admin don't have the necessary technical skills to evaluate which report are security issues, why are they deleting them so that noone else can? or pointing those users to the correct place to report such issues? putting your head in the sand only makes things worse, and gives apple their reputation for arrogance

Re:No, incident does prove Apple is lacking ...

[stuboogie]

BINGO!!! Give this AC a cookie!

You can try all the diversion tactics you want, but at the end of the day the post was DELETED to remove the public announcement of a vulnerability!!!
So, whoever deleted the post must have done it for a reason?

If they thought it was a REAL bug and deleted the post to remove it from the public eye, then that shows Apple is more concerned with their public image than the security of their products.

If they thought it was NOT a real bug and just a user error and deleted the post, then they did nothing to assist the user in error. That doesn't sound like very good technical support to me.

Re:No, incident does prove Apple is lacking ...

[schon]

Wow. Just *wow*. That's a mighty powerful logic disconnect you have there. Seriously dude, considering how at odds those two paragraphs are, how come your head doesn't explode?

the post was probably deleted by someone in poorly-trained low level support monkeys [...] Apple has a bug reporting system and an email for security issues. Use them, not the forums So.. what exactly prevented the "low level support monkey" from emailing the security team? If their bug reporting system is so difficult to figure out that even apple's own support people don't know it, why do you expect some third-party person to know about it?

Re:No, incident does prove Apple is lacking ...

[nordicfrost]

I submitted a crash once, and got a reply from an engineer at Apple. He asked about the circumstances around the bug, and together we found that it was caused by some buggy code in a third party program. They contacted the supplier of the program and later, a fix was issued. I was amazed that someone actually responded...

Re:No, incident does prove Apple is lacking ...

[Reaperducer]

That logout option should've been there from day 1 of *writing* the damn application. Common sense says: if you have a log-in, give the user the option to log out. Apparently some team at Apple lacks (or lacked) common sense.

The logout option *is* there. I guess you were too busy foaming at the mouth to actually do any research, much like the people behind the original FUD.

Re:No, incident does prove Apple is lacking ...

[NtroP]

The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.

This has been my experience as well. I've submitted several bugs. The first one was responded to by the next day and that was to ask for more information. It was followed up after a couple of days with a patch emailed to me. They asked me to test it to see if it fixed the issue - it did and was included in the next roll-up patch. The others received answers along the lines of "Thanks, someone else has already reported this, we are working on it, if you have any new information please reference xyz ticket." I even received a phone call once.

Apple has always been rather prickly when proper procedures aren't followed with bug reporting. A public forum is a good place to ask a question but is definitely *not* the place to submit a security-related report - they were well within their rights to remove it. Although I would have replaced the message with a "Post removed: submit security issues to product-security@apple.com" . My only complaint though, is that if you aren't already familiar with the reporting procedures it's not easy to find where to report bugs. Of course, a little googling or searching on Apple's site give you the answer, but the average noob won't do that. Of course they also don't know how to properly articulate the issue most of the time either.

Re:No, incident does prove Apple is lacking ...

[NMerriam]

if forum admin don't have the necessary technical skills to evaluate which report are security issues, why are they deleting them so that noone else can? or pointing those users to the correct place to report such issues?

The forum administrator's job is pretty straightforward -- deleting any messages that aren't on-topic for the forum, which is polite, user-to-user support. You're right, it might be appropriate for message posters to be given a link to bugreporter before posting, I'm pretty sure they're given a link to the knowledge base.

Re:No, incident does prove Apple is lacking ...

[bigstrat2003]

Another poster clearly stated that logging out of .Mac doesn't log you out of the drive. If that's not true, I have no way of knowing (I don't use Macs), so I take it at face value. Of course, it's more likely that you didn't know that, because you were too busy flaming people for no good reason to actually read the discussion.

Re:No, incident does prove Apple is lacking ...

[NMerriam]

You can try all the diversion tactics you want, but at the end of the day the post was DELETED to remove the public announcement of a vulnerability!!!
So, whoever deleted the post must have done it for a reason?

Yes, perhaps because it was offtopic for the forum, inappropriately worded, etc? But perhaps you're right, and it wasn't something simple like a person deleting offtopic posts -- it was probably a conspiracy!

Re:No, incident does prove Apple is lacking ...

[NtroP]

So.. what exactly prevented the "low level support monkey" from emailing the security team? How do you know the didn't? All you know is that they removed an improper, security-related post from a forum. They may very well have filed a bug report...

Re:No, incident does prove Apple is lacking ...

[Scudsucker]

I've had to reboot my macbook pro twice in the last couple of weeks because of new versions of quicktime to fix security flaws

Then don't download it. Duh. Updates are optional.

Re:No, incident does prove Apple is lacking ...

[vanyel]

If you use Basic Authentication, you *can't* put a logout button on the web site --- it's up to the browser, and I have yet to see a browser that will let you logout from Basic Auth without shutting it down entirely (perhaps "clear all private data" will do it, but that's rather extreme).

Now I wouldn't disagree that *using* Basic Auth for your site means you're being lax or lazy...but so are the browser authors that don't fix that.

Re:No, incident does prove Apple is lacking ...

[stuboogie]

Offtopic?? Inappropriately worded??? Are you serious!?!?

So it is OK to just delete posts from a user forum because the moderator thinks the post is "inappropriately worded"?
Well, the content of the post was relevant, but the poster didn't use proper grammar. I guess I'll just delete the post!

Even if it was offtopic, how many forums just delete a post! You tell the user to post in the proper forum. Some forum moderators will even move the post to the proper forum. However, I don't use any forum that just goes in and deletes a post unless the content is offensive. I guess a user posting a "possible" vulnerability was offensive to the Apple moderator.

Conspiracy? Grow up. I am addressing what I consider inappropriate handling of a post in a forum. You seem to think that a post being deleted is fine.
Maybe I can have privileges on /. to delete YOUR posts whenever I feel like it. Would that bother you???

Re:No, incident does prove Apple is lacking ...

[NMerriam]

hey, you're the one who claimed the person deleting it was to specifically targeting that message to try and cover up the incredibly top-secret sensitive content. I think it was just a typically overzealous admin deleting messages that weren't on-topic.

You're right, Apple's forum policies suck. They've always sucked, they've always been ridiculously restrictive, and they're pretty much typical for an official corporate message boards (Dell's are actually pretty free-wheeling at times, but they still bat people down if they get overly negative about Dell products). I'm not defending their policies, just stating what they are. If you post a message there that isn't politely asking for or offering user to user support, there's a really good chance it will get deleted. That's why most users don't use Apple's official boards (or any company's official boards).

And yes, even if you have a legitimate post topic, if it is worded inappropriately (ie "My fucking iDisk page doesn't have a logout button you goddamn retards!") it will be deleted on pretty much any official corporate message board on Earth.

Re:No, incident does prove Apple is lacking ...

[jeffasselin]

Indeed. Of course they're going to delete such posts from their discussion forums, it's not the correct place to disclose security holes and issues!

Re:No, incident does prove Apple is lacking ...

[stor]

> No - but not putting a log out button on a protected web resource does mean that they are either lax or lazy.

Agreed. I'd go a step further and say that when the user closes the browser they should be automatically logged out. I believe this is the behavior "ordinary" users would expect. You shouldn't rely on people clicking a "Logout" button.

-Stor

Re:No, incident does prove Apple is lacking ...

[arminw]

.....Good lord, what kind of a dresscode do they enforce at Apple?.....

Most anything is Ok except a black turtleneck.

Re:No, incident does prove Apple is lacking ...

[Trillan]

What makes you think I am defending it? I am offering a suggestion for the poster to get the issue to knowledgeable eyes, if they care enough to pursue it.

That is a VERY different thing than defending the stupidity of the low level, poorly-trained monkey. And I'm certainly not going to defend whatever policy hired a monkey and trained him so poorly.

So where's my "mighty powerful logic disconnect"? It seems like the real problem here is "reading comprehension."

Re:No, incident does prove Apple is lacking ...

[gerardrj]

Minor point:
The .Mac page does in fact have a logout button, the separate window that is spawned to display the iDisk contents does not have one. Simply clicking back to the main .Mac page allows one to click "logout" and close the session.

As far as I know this only would affect:
1. Windows/GnuLinux users using the web page interface
2. Mac users forced to use Simple Finder.

Any Mac user with access to the full finder menus will simply choose Go:iDisk:Other Users' iDisk to access their own iDisk from a computer other than their own. Dragging the icon to the eject symbol logs you out of the iDisk contents.

I don't see how the lack of the logout button in the one window is a major security flaw.

Re:No, incident does prove Apple is lacking ...

[Trillan]

I think I've received 5-6 personal responses this month (2-3 on the same bug).

A minor flaw? Tosh.

[blowdart]

0H N0ES U DIDNT APPLE IS TEH PERFECT

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.

The site listed (but not linked) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.

Re:A minor flaw? Tosh.

[Colin+Smith]

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Macs make up about 3% of the computer using population. This means all flaws are minor.

Re:A minor flaw? Tosh.

[kestasjk]

But that 3% is the most important group; the 3% containing Einstein and Picasso and Vivaldi, Mac evangelists one and all.

Basically if you see Einstein, Picasso, or Vivaldi, or even Gauss or Heisenberg, using a public computer then Apple will treat this vulnerability as serious.
Last I checked scientists, power-managers and artists don't use computers other than their own, so why should Apple care about this "vulnerability"?

Re:A minor flaw? Tosh.

[Malevolyn]

As a player for both all three teams (so to speak) I'd have to say the article title is a bit sarcastic. I'm sure most people can agree that one of the differences between Apple and Microsoft is in how seriously they take themselves. Users tend to follow suit, which leads to sarcastic article title for what is very obviously a very large security flaw; in contrast, Microsoft articles lean more towards the more professional side.

Re:A minor flaw? Tosh.

[Bearhouse]

Funny...unless you're a Mac user. I notice that Mac "hey, it's cool and 'just works'(TM)" users are less used to managing security issues, hence less able. So, bad news.

Re:A minor flaw? Tosh.

[vtcodger]

***It's not just the title, but to the article summary as well. And this is slashdot, when was the last professional Microsoft article here? 1993?***

I dunno. When was the last time Microsoft did anything professional?

I agree that Microsoft would get a lot of abuse in this venue even when they did things well/right. But if you ask me, Microsoft doing things well/right hasn't been much of an issue for quite some years.

Re:A minor flaw? Tosh.

[jackpot777]

Macs use computers?

And I thought it was over 5 percent now...

Here's the thing. The only people that have to be worried are Mac users with a dot-mac account. I have an iMac but I wouldn't dream of getting .mac account. Seeing as it costs $99.95 for a year's membership, and for that you get:

a place to share photos online (which I do for free with Photobucket)

your own personal web-space (which for personal use, Blogger does the job just fine for me)

email access anywhere, even on an iPhone (but the iPhone shows your regular ISP email anyway, which is set up the first time you plug your iPhone into your Mac thanks to the settings in the Mail program, and GMail is accessed anywhere with internet connectivity too)

remote access to your Mac (which I personally have never needed)

the ability to sync your favourite stuff to the computer you're using (my iGoogle page shows me all the stuff I usually bookmark on any computer I decide to log into Google ...and after that, I have the URLs in my head or I can search for the stuff I want, or just send the URLs in an email to my GMail account, stick a star on the email and sort by stars to find it quickly)

10GB of storage online for files (XDrive gives 5GB away for free, eSnips gies 5GB away for free, my photos on Photobucket, my videos that I want people to see on YouTube...) .Mac Groups (there are enough free options out there for whatever group I want to start or join ...Google Groups, browsing the old Usenet newsgroups using Thunderbird, etc.)

Online backup if I don't have OS X 10.5 Leopard (or I can just buy Leopard and get all the new-fangled doohickeys too)...

What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community.

Re:A minor flaw? Tosh.

[stuboogie]

"What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community."

hmmm...sounds familiar...what was the name of that?

Ah, Oh weLl.

I can't remember right now.

Re:A minor flaw? Tosh.

[kithrup]

While not commenting on the "feature" in question -- one thing that .Mac does give you, that you didn't list, is the "Back to My Mac" feature for 10.5. This is actually pretty nice: I can (barring firewalls in the way :)) connect to my Mac at home while I'm elsewhere, both for file-sharing and screen-sharing.

You also get iChat encryption for .Mac accounts. But there are other clients to do this -- the BtMM thing is very impressive. (Remember, it works through NAT. Most of the time, anyway. :))

I can't guess for anyone whether that's worth $99/year... but when you need it, it is pretty nice to have.

I'm not sure how to look at my iDisk from a web browser, so I am not sure what's going on with that. I'm still looking, however.

Re:A minor flaw? Tosh.

[assassinator42]

Look closer, he does mention remote access. Although that can probably be done (minus the NAT traversal) with VNC.
Plus, you can use something like Hamachi to do NAT traversal if needed (although you need a client installed on all machines for that to work). Although you still don't the ability to access your computer from a browser anywhere with that.

Re:A minor flaw? Tosh.

[0123456789]

As someone who uses Tiger; the $100 per year for .Mac is worth it for the Backup software alone. You're right, I hardly use most of the other features, but I've had enough hassle with other backup software (or, more accurately, with restoring files from other backup software) that I'm willing to pay for reliable backup software (And, given my habit of fat-fingering rm commands, I tend to test the restoration quite frequently...). As to buying Leopard, Tiger works for me. Of course, I will probably upgrade eventually; probably around the same time my .Mac sub is due for renewal :-)

Re:A minor flaw? Tosh.

[stuboogie]

You know the fanboi is well aware of the drivel he spews when he resorts to defending Apple anonymously.

"I think it's minor because no one actually uses .mac, let alone an iDisk."
So, your first defense: Nobody uses this feature so it is not really a flaw! You're right Apple just promotes the .Mac service to maintain an ILLUSION.
None of the I-can't-tie-my-shoes-without-Apple-doing-it-for-me users have a .Mac account. I have a co-worker that is just one of those people.

"and if such things were an actual threat they'd be using "Private Browsing...", "Reset Safari..." or "Empty Cache..." features already built into Safari."
Next, There can't be a threat because IF there really IS a flaw in an Apple product, they would have fixed it. Therefore, it is not a threat!
Excellent logic there! Because Apple is infallible, there are NEVER flaws in their products! They catch ALL bugs in their software before it is released.

"also if you want a Microsoft comparison"
Now that you have dismissed the POSSIBILITY that there may be a flaw in an Apple product, you try to redirect the attention to M$. Nothing to see here...please move along.

"It seems to be the case that any security related articles no matter how dismal or indistinct to the apple platform float right to the top of the press."
Gee...I wonder why. If all the fanbois didn't run around exclaiming how PERFECT Apple is, maybe the rest of the world wouldn't be so inclined to throw the spotlight on any and all issues that arise with an Apple product. Just wait. I noticed how many rebuttals in this thread to the current market share that Apple owns. As Apple's footprint grows, so will the scrutiny placed on their products.

Re:A minor flaw? Tosh.

[shmlco]

So the sequence is IF you use a Mac and IF you're a .Mac member and IF you use iDisk and IF you check your iDisk from a public browser THEN someone could potentially access those files.

Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No. Worth discussing? Hardly. Check 100,000 public terminals and will you find one instance of the problem? Doubtful. In fact, I'd say that the fact that we're just now discovering the issue five years after .Mac and iDisk premired illustrates more than anything else as to just how "significant" it may be.

Should it be fixed? Sure.

As to your commments, I'm pretty sure I've ever seen anyone at anytime claim that Apple or Mac or OS X or the iPod or the iPhone is "PERFECT". Better, perhaps, but perfect? Nope. One has only to look at the tech notes and Software Updates to realize that. As such your entire anti-fanboi rant is pretty much just a strawman setup so you can knock him down, and pat yourself on the back in the process.

A better issue would have been followed from "A quick review of any public terminal's browser history could bring up all kinds of interesting things." Like failing to log out of Gmail or an Amazon account. But no. We have to do yet another Apple vs. Microsoft vs. Linux flamewar. Guess it's another slow Sunday at /..

Finally, the summary says, "feedback at apple.com/feedback has gone unanswered"... which is ALWAYS the case. It's a feedback site. It says feedback will be unanswered. To quote, "We read all feedback carefully, but please note that we cannot respond to the comments you submit." But again no, we have to make sure it looks like Apple is ignoring the "problem".

Re:A minor flaw? Tosh.

[PM4RK5]

You know the fanboi is well aware of the drivel he spews when he resorts to defending Apple anonymously.

And yet the whole of Slashdot can go ahead bashing Apple without actually investigating the problem. Had anyone actually checked, they'd have noticed that the main .Mac page—which is how one accesses the iDisk interface—has this nifty little logout button, as seen in this screenshot.

But it's more fun to bash Apple unconditionally.

Perhaps it's a minor oversight that the self-contained iDisk interface lacks a logout button, but to say that "there is no way for the average computer user to log-out of their iDIsk on public computers" is patently false. Sure, they have to use the main .Mac page to do it, but you have to open that page to get to your iDisk in the first place. So: it's the user's choice to close that window while working on iDisk (the iDisk interface opens in a second window), and the user's oversight in failing to return there to log out.

Investigative journalism at its best. Cripes.

Re:A minor flaw? Tosh.

[DECS]

Either Whoosh or Duh.

Why Microsoft's Copy-Killing Has Reached a Dead End
Microsoft's rapid rise to power and its ability to hold onto control over the PC desktop throughout the 90s has long been revered by pundits as a classic example of copying an existing business model and then defeating all competition through price efficiencies, despite the fact that Microsoft's Windows software has only ever gotten progressively more expensive with the passing of time. This copy-killing strategy, also described as "embrace, extend, and extinguish," is now reaching a dead end. Here's why.

Re:A minor flaw? Tosh.

[fatlaces]

Interestingly, that $99.99 is paid by you, not by advertisements. I haven't used it, but I think that would lead to a little cleaner interface/experience. I think ye olde internet was like that until the end of Compuseve and such.

Still, for a hundred bucks I would need more storage, and the ability to use PERL/PHP with my sites.

Re:A minor flaw? Tosh.

[Scudsucker]

I was thinking I would finally make it through an Apple story without some group think kneejerker saying "now if this were Microsoft, you'd all be up in arms" but I see the streak is unbroken.

Re:A minor flaw? Tosh.

[gtwilliams]

one thing that .Mac does give you ... is ... "Back to My Mac"

sshd anyone?

Re:A minor flaw? Tosh.

[stuboogie]

"So the sequence is IF you use a Mac and IF you're a .Mac member and IF you use iDisk and IF you check your iDisk from a public browser THEN someone could potentially access those files."

"Sorry, but the aggregate of all of those conditions is probably 0.000001%."

Yet again. You will sidestep the issue of their being a flaw by claiming it affects NO ONE.

Let me get this right...someone who has a Mac might also have a .Mac account (someone is using this service). Furthermore, since that person pays $99/year for that service, he may actually want to take advantage of the iDisk feature. Guess what? He MIGHT actually want to get to something stored in his iDisk account while away from his own computers.

I mean really...you SERIOUSLY believe your probability that this LOGICAL series of events is "0.000001%?????"

"As such your entire anti-fanboi rant is pretty much just a strawman setup so you can knock him down, and pat yourself on the back in the process."
I'M the one throwing up a ridiculous argument?? It is fanbois like you that I'm talking about. Just acknowledge the fact that, while this may not be a "major flaw", it IS "worth discussing".
ANY flaw in ANY software that allows others to access your private data should be public knowledge so that the users may protect themselves until a fix can be applied. I don't care who made the software.
I just can't stand the hypocritical views of the Mac users on /. who will blindly dismiss any wrong-doings by Apple. It's pathetic.

Re:A minor flaw? Tosh.

[arminw]

....Nobody uses this feature so it is not really a flaw..........

The .Mac service is intended for Mac users mainly on their own Macs. Probably not too many Mac users do anything critical on an alien computer, especially one that runs Windows. When I travel, I use my own Macbook, so this "flaw" isn't really a big deal. I suspect this is true for most Mac users. Even so I think Apple should and will fix this soon. Unlike Windows, there has NEVER, ever, been a flaw affecting any Mac from the time OSX was introduced, that allowed a Mac to be invaded by malware, simply for being connected to the Internet, even without a firewall.

All Mac flaws and the majority of those for Windows today need the co-operation of the user. NO OS can totally guard against an ignorant, careless user. Any user who uses an unknown computer in a strange environment for anything sensitive ought to have their head examined. They deserve to have their bank account emptied by a crook who installed a keylogger on that foreign machine.

Re:A minor flaw? Tosh.

[bogjobber]

Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No. Worth discussing? Hardly.

Sorry, but if an application gives a person with a complete lack of technical ability the ability to read the entire contents of your drive with full access from a remote location, and the only solution is to manually delete something that most users don't even know exists, that's a pretty serious flaw.

Re:A minor flaw? Tosh.

[shmlco]

As an anecdotal fact, I've paid for the service for three years now and never done it. People get it for different reasons, like hosted pages or user account syncing or to have a non-ISP-linked email address. So I'm pretty sure that not every .Mac member will automatically follow your "logical" progression.

But go back and reread the final clause, "someone could potentially [sic] access those file". So to follow your series of events, he then has to have a malicious individual immediately follow him on one out of a few million public terminals he might use on the one day he decides he needs a file and who then does the dirty deed.

At which point he walks out the door and gets struck by lightning.

It's not "blind dismissal", it's just a realistic probability matrix of such an event actually occurring. And like I said, it should be fixed.

But is it worth hundreds of /. perfect-macs-aren't-perfect rants? Especially when they were never claimed to be perfect in the first place?

Sorry, but no.

Like I said, it's got to be a slow Sunday.

Re:A minor flaw? Tosh.

[stuboogie]

I never said EVERY .Mac member would meet the criteria for this exploit to happen.
However, for you to state that the probability of this happening is akin to getting struck by lightning is absurd and a BLIND DISMISSAL of the POTENTIAL for this to happen.
Frankly, if such a user were to do this at a common terminal at work, it is not unlikely that a nosy co-worker might actually stumble upon this bug.
It doesn't take a malicious individual. It only takes a nosy one. Look around you. This world is full of them.

So, again, why are you so dismissive of a POTENTIAL breach of a user's privacy just because it is Apple?
Apple's products have not been claimed to be perfect in a literal sense, however it is the biased actions of fanbois that portray that virtual perfection.
To bash MS for every little issue they have and turn around and excuse Apple for ANY issue they have is hypocritical and tiring.

Some of us on /. get sick of seeing the double-standard and occasionally speak up about it. Not that it does any good, because the fanbois are so entrenched in their dogma that a logical and coherent argument never penetrates.

Re:A minor flaw? Tosh.

[Dephex+Twin]

Do I ask myself questions and then immediately answer them? Yes.

Re:A minor flaw? Tosh.

[Ilgaz]

$100 is a joke for us, people posting to Slashdot but their customers seem loving it.

I would pay $100/year for shell access to a XGrid enabled XServe Cluster, SSL enabled IMAP with Idle and SCP/rsync access but I am in 3% of population of 5% population. Apple doesn't care about me :)

Leave it to people purchasing it, it seems to fit their needs. Those are "Everything I use must be Apple, they rock" type of people and $100 could be joke for them.

Re:A minor flaw? Tosh.

[plumby]

So the sequence is IF you use a Mac and IF you're a .Mac member and IF you use iDisk and IF you check your iDisk from a public browser THEN someone could potentially access those files.

Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No.

So are you saying that it's impossible to have major flaws in niche products?

It may not be a major flaw in the grand scheme of things, but it's a major flaw in iDisk.

Re:A minor flaw? Tosh.

[nine-times]

I have .Mac, and I agree that it could use some work. The main reason I keep it is the syncing. First, it syncs certain portions of data (calendar, address book, browser bookmarks, etc.) and application preferences (location of the dock, changes in organization of toolbars, etc.). It sounds really minor, but it means that I get a certain level of uniformity of experience across the computers I use. I have three computers (home, work, laptop), and If I change settings on one of my computers and then go to use another computer, the changes are present on the other computer as soon as it syncs.

In addition to that, the online storage (iDisk) is set up so you can automatically cache the online files locally, and it'll sync automatically. So again, this allows me to share files across my computers. Additionally, if there is any data that I want synced across computers that isn't handled by the normal sync, I use Unison to sync it to my cached copy of my iDisk, then the OS automatically syncs it to the remote version. Eventually it makes it to all my computers.

It really works pretty well, and I've been particularly happy with the setup since Leopard, which additionally gives me remote access to my various computers, and also gives me a Time Machine backup on one of them for the odd occurrences where syncing accidentally causes me to lose a file I didn't intend to. I find the syncing and iDisk to be well-integrated into the OS, and my main request of Apple would be to open it all up so that you could use those services with your own servers. I'd feel more comfortable using an iDisk for my work files if the iDisk were hosted by my own company.

Re:A minor flaw? Tosh.

[neomunk]

Actually, I think the reality of the situation is closer to 'if some idiot can hit the back button and get access to a service I wanted to log out of, the DESIGNERS OF THE SERVICE have failed at security.' Saying the person who USED the back button has failed in some way because it wasn't hard to do strains my brain in trying to find the logic.

Your post seems to say (in spirit): 'Wow, that was easy for me to break into, I must be a moron.'

Re:A minor flaw? Tosh.

[The+One+and+Only]

Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin.

Thank god we have you to disabuse us of that notion. Oh, wait--nearly every article about any flaw in Apple products has someone like you complaining about the hypocrisy.

Re:A minor flaw? Tosh.

[gerardrj]

You left out several big points for .Mac:

1. Training... there's hundreds of PDFs and walkthroughs and dozens of video walkthroughs for almost anything normal people want to do with a Mac. From "What is this row of colorful icons at the bottom of the screen" to "how do I print a calendar of all my favorite photos" and lots more.

2. integration. Sure you can do everything that .Mac does with other services to some degree or another, but with .Mac its all in one place and its all integrated with the software on the machine.

3. Support. One person(company) to call if any of it goes wrong. No having to deal with Microsoft and Photobucket and your ISP and perhaps your camera vendor. One call to AppleCare and they will likely solve the issue. .Mac isn't for the geeks, its for the average user. That said I'm a geek and I use my .Mac account, but I get it for free.

Re:A minor flaw? Tosh.

[dhollist]

Exactly. Using PuTTY and VNC you can access your Mac even through corporate firewalls, and with a dynamic IP address, provided you've set up a dynamic DNS service like DynDNS.

Re:A minor flaw? Tosh.

[shmlco]

"...for you to state that the probability of this happening is akin to getting struck by lightning is absurd and a BLIND DISMISSAL of the POTENTIAL for this to happen."

Actually, I gave you a rather large opening there. Guess you don't know that about 100 people are struck and killed by lightning in the US each year. But 100 by 300 million is 0.0000003, or a third of the percentage I gave.

"Frankly, if such a user were to do this at a common terminal at work..."

I have my own computer at work, but again, that's just me.

"To bash MS for every little issue they have and turn around and excuse Apple for ANY issue they have is hypocritical and tiring."

There you go, making assumptions again. Care to look though my posting history and see how much Microsoft bashing I've done.

"Some of us on /. get sick of seeing the double-standard and occasionally speak up about it."

And I'm glad that all of those people on /. have you to speak up for them. But IF Microsoft had such a paid service for Vista and IF you were a member and IF you used it and IF you checked your mDisk from a public browser and IF they had the same flaw...

I'd say that the odds, given Vista's market penetration, are about three times that of getting stuck by lightning. Worse than Apple's, still remote. No double-standard.

"...a logical and coherent argument never penetrates."

Let me know when you find one, okay?

Catchup

• access control systems - built into windows since 3.1 (but only useful since NT4)
• program app exceutable digital signing - Windows 2000
• sandboxes - .net 1.0
• Address Space Randomization - announced in Vista first
• Filevault encryption - announced in Vista first; encryption with user keys was available in Windows 2000

Re:Catchup

[Malevolyn]

Yes, but the viruses keep coming. Apple still managed the forward think when they noticed that they were gaining market share, and thusly the world is still lacking overwhelming amounts of Mac OS viruses. It's not that Apple beat Microsoft to the punch, per se, but that they got there at a more strategic time in their OS's lifespan.

Re:Catchup

[Scudsucker]

And how many worms and viruses did Windows have in that time, Sparky?

Filevault encryption - announced in Vista first

Yawn. File Vault was released over three years before Vista was.

Re:Catchup

[Scudsucker]

OS X's File Vault and Windows Vista's Bitlocker are not in the same class. File Vault is like a post office's safety deposit box compared to Vista's Bitlocker, which is like a bank vault in comparison.

Uh, no. The only difference between File Vault and Bitlocker is that the latter also encrypts application files by default - it still has a non encrypted boot volume. There is nothing preventing you from doing the same on a Mac, you just need to move those files to an encrypted disk image.

A more appropriate comparison to File Vault is Windows 2000's Encrypting File System, which was released over three years before OS X 10.3 was.

Uh, no. All it takes to break EFS is to hack a user's password, which is trivial to do under default settings. And even if you do disable the storing of passwords in LM hash, you can still break EFS by resetting the Administrator password, which is also trivial to do with physical access.

Better luck next time.

You are a heretic, sir!

[Quiet_Desperation]

Anyone can slip up.

Ah, but this is Slashdot, where corporations are composed of primordial evil and capitalism is the beefy fart of the Devil. Every slip up is cause for running to the hills to prepare revolutionary strikes, and then run to the other hills and plan counter-revolutionary terror, and we all run around like decapitated chickens shouting comforting mantras like "Information wants to be free!" and "It am teh suk!"

This just in!

[krunk7]

If you let someone have full access to your computer, they can delete personal files and directories! News at 11!

Re:This just in!

[**loki969**]

Nicht Genuegend! Setzen!

Go back and read TFA!

Re:This just in!

[krunk7]

Hehe, it was 1:30am when I posted that. Late night posting for the loss.

Other Apple security controversy

[DigitAl56K]

The Reg is currently questioning Apple's approach even in addressing well-known security vulnerabilities that it has actually acknowledged:

http://www.theregister.co.uk/2007/12/15/apple_security_fixes/

Minor issue.

Really, if the public terminal isn't configured to automatically clear the data when the person has finished there's a problem.

Re:My testing

[makomk]

According to this post, signing out of .Mac doesn't actually sign you out of the iDisk.

Re:My testing

[prockcore]

Step 5. Notice that clicking the big LOG OUT button doesn't affect iDisk.

this is common

[Erpo]

Am I the only one that notices that Apple's response to every problem is a swift "let's delete this topic and pretend the problem doesn't exist"? .. Seems like bad business practise to me.

This happens all the time on corporate forums. The really infuriating part is that the admins also delete posts advocating a move to another forum without censorship. The only way to take discussion to sane place is to find topics before they've been deleted, see who's interested enough to post in those threads, and PM them with an invitation to a different forum.

Browser Sessions

[LordLucless]

I thought that session cookies died when the browser window closed - or does .Mac use URL rewriting?

An Apple a day...

[JAlexoi]

That's why I "like" Apple.
If you don't like something about them, it's you who is wrong.
And now, if you suspect/have proved a security flaw, you still are on the wrong side of things.

Microsoft locks you in to software, leaving hardware selection free, Apple locks you in completely. Now tell me who's worse.

iDisk data is unencrypted anyway

[Ma8thew]

A far more pressing concern is that data is transmitted to and from your iDisk insecurely. No one should be storing any sensitive data on their iDisk.

Apple hides the problems, or ?

[Teisei]

I wonder if this article is about how Apple is sweeping problems like dust, under the carpet. Sounds very Microsoft'ish. However, it's also very likely that Apple really takes care of those problems, but I don't understand why to hide them as if they didn't exist at all.

Session cookie

[msgmonkey]

Or they could use a session cookie that is deleted when the browser is closed.

Re:Session cookie

[corychristison]

They do, at least, all of the banks I have ever dealt with.

I think that the major concern is if you were to get up from the computer, and get caught up in doing something else... they don't want you to stay logged in, in the event that someone else were to use your computer (this is especially true in a work environment)

Re:Session cookie

[FerociousFerret]

Correct me if I'm wrong, but when using a browser that supports tabs, closing the tab is not the same a closing the browser for the session cookie. So if I close the tab that I used to connect, but don't shut down my browser because I have other sites up, someone could still get access. This is how the Apple store works. You can log in, but there is no logout. I chatted online with an Apple rep and asked how do I log out. There answer was to close the browser. Closing the tab won't work. I told them that I don't want to close my browser because I have 5 other important sites up and they should add a logout button.

Does it use cookies?

[p3d0]

The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. If it uses cookies, you could delete all cookies before you leave.

Logout for HTTP Basic Authentication

[RAMMS+EIN]

This sounds like an opportunity for Apple to add a logout feature for HTTP Basic authentication to their browser. After all, they control both the browser and .mac; they can make this work. I've never understood why there is no logout feature for HTTP Basic authentication.

I don't know if .mac actually uses HTTP Basic auth for authentication (if I were to guess I would guess not), but still.

I noticed that, too...

[Joce640k]

If it was Microsoft deleting posts which they didn't like the blogers would be frothing at the mouth and looking for ankles to bite.

Apple, which has a long history of this, seems to go unnoticed.

This is NOT a security flaw!

[naasking]

If someone has physical access to your machine, you're completely screwed 5 ways from Sunday REGARDLESS of the access controls in place. There is NO protection from such an attack. Consider the situation where the site did require a login: the person who gains access to your machine then installs a keylogger and steals your password. SAME conclusion. The key concept here is that no security is invulnerable once you lose control of the hardware. The RIAA and MPAA have been learning this lesson for the past few years. The only way to secure your data, is to encrypt it and carry the security token which holds the decryption hardware and/or key with you. Given enough brute-force or cryptanalysis, even this solution is vulnerable. Some future advancements in security might solve this fundamental problem, but given current knowledge it's simply impossible. In conclusion, the design of Apple's iDrive service is not a security flaw.

Re:This is NOT a security flaw!

This isn't about physical access to the machine the user owns. This is about the user using a machine he or she doesn't own, using their iDisk to remotely access files. A common ocurrence. Analogous to the idea of using scp while at a public terminal. (I do this quite often.)

Re:This is NOT a security flaw!

[naasking]

It's exactly the same problem. How do you know that unknown machine isn't logging your password?

2cents

[ljjewell]

In Firefox: Ctrl+Shift+Del = solves problem In Internet Explorer: Tools --> Delete Browsing History = also solves problem.

But wait...

[jpellino]

I though all Macs were used for doing some graphics. How risky can it be?

(/sarcasm)

Re:When Will Apple Learn That

[tuxic]

But if those opportunities lead to nothing serious, then it still doesn't matter.
What matters though, is for Apple to make sure they fix every vital security flaw they can with current software, implement even smarter security design in the future and continue to be the better choice for those who use their computer for traditional computing, ie. in the creative and journalistic area, internet-related usage (e-mail, web, IM, SFTP) and *NIX (ssh, text editing, programming, etc).

There is in fact a logout button. Top right.

[jpellino]

Right next to your username.

They deserve it

[140Mandak262Jamuna]

If someone uses a public computer to access their private data, typing in their user names and passwords and don't know how to clear the browser's cache and other private data they deserve everything they get. People should know what is private and what is public and why things are behind authentication access control screens. People who think they are safe because they killed the browser instance, would have left their mail accounts bank accounts and other things vulnerable too. The malefactor has these tempting fruits, they are not going to be trudging through the hard disk looking for useless stuff.

It is no different from leaving the house open and blaming the manufacturer of your dining table manufacturer for not protecting against this possible scenario.

My bad. Yikes! Live thru logout + relaunch!

[jpellino]

Let's try it with
History > Clear history
Apple+Option+E...

no, just more bloviating

[Scudsucker]

when it comes to Apple. But you screwed up: when you're jerking that knee at something they've done, you *must* include the requisite statement: "but if this were Microsoft, you'd all be up in arms..."

Apple used to be a good company...ten years ago.

Ten years ago their stock was ~$15 a share. Right now it's $190 per share, and that's after a few splits. I would trade one of your kidneys for a few hundred shares of 1997 Apple stock.

You are allowing a monkey to evaluate reports ...

[AHumbleOpinion]

You realize that the post was probably deleted by someone in poorly-trained low level support monkeys, right? Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.

You are merely describing what may be the specific shortcoming of Apple's organization. By ignoring the report because it was made via an inappropriate channel the monkey is in reality making a determination of the validity of the report. The monkey should forward the report to a non-monkey.

iSync is the killer feature of .Mac

[donstenk72]

admittedly not relevant for everyone, but synchronizing calender, contacts mail accounts and bookmarks across various macs/users/offices is really great. If there is something cheaper that works as reliably and easily (automatically without being prompted) I would like to know. I don't use any of the other features although the gallery is nice.

Re:iSync is the killer feature of .Mac

[LittleDobbs]

Right but the point he was making is iSync is seamless. Gmail is great but I can't exactly, nor do I want to, put my work email and contacts into my gmail account. With iSync email rules work on the desktop at work, desktop at home and the laptop. There is no need for a plugin on the browser to make bookmarks sync in the same way.

It might not be worth 99 a year, but I don't think there is a single tool that handles this as well.

Re:The price of popularity

[99BottlesOfBeerInMyF]

...chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them.

I've been working in the security industry for years. I've submitted bugs to Apple, MS, and various Linux and BSD projects. Apple's reaction to such submissions has been better than average. For the most part, they seem to acknowledge security related bugs and fix them before they are exploited, including providing credit to the bug reporter. I guess what I'm saying is, if you're judging "Apple's" response to security related bugs, maybe looking at how they handle problems reported to them through their publicly accessible bug reporting system is a better measuring stick, than looking at how they handle posts in forums. Not that I approve of censoring their forums, it just doesn't seem to be an important aspect of how they respond with regard to security. Not to sound like an Apple fan or anything, but I've frankly been impressed by Apple's quick turnaround on serious bugs.

Am I the only one who thought George B. McClellan?

[shoor]

I saw the title, "A Little .Mac Security Flaw", and immediately thought of the campaign song of George B. McClellan when he challenged Abe Lincoln in the 1864 presidential primary. His campaign song began with the lines: "Little Mac, Little Mac, You're the very man, go down to Washington soon as you can." and no, it's not because I'm a history maven or Civil War buff. When I was a kid I had a record, "Huckleberry Hound for President", built around Huckleberry Hound running for president, and one of the things they did was go through old presidential campaign songs looking for something to use for Huckleberry.

The things that stick in your head from when you're a kid.

De facto what?

[ari_j]

I think that "de facto standard" is undergoing the same illiteracy shift as "treasure trove" did, where people don't understand how to parse the phrase, mistake the noun for the adjective and vice versa, and start using the adjective as if it were the noun. Please, help fight this shift in the language. "De facto" is a much more important term than "trove" ever was, so it's essential to our continued ability to communicate effectively that it not lose its meaning and come to just mean "standard." Thank you for your support.

Mac zellots : RTFA

[Coolhand2120]

People keep saying '.mac has a logout button' and 'you can just click here and here to delete your cookies'. That's not the story! The idisk software is lacking a logout button, it is PART of .mac, not .mac. And if you didn't get that from reading the article, surely you understood it from reading other posts. In their rush to defend the indefensible, they blew past the article and and said something that is arguably moronic.

Before you mod me troll or flamebait, it's just an observation not an attack on anyone.

Is it fixed yet?

[Zaphod2016]

function logout() { // kill cookie / session } (yes I know Jscript is a poor choice of language here, I am simply proving a point) In the time it has taken me to read this thread, this issue could have been fixed. As a mac user, I am very disappointed in such a simple, yet potentially deadly flaw. I am even more disappointed in the forum admin deleting the thread. I am even more disappointed in the posters on /. who are defending this, simply because it happened to "our side". This should have been fixed within an hour of being reported. My clients are much, much smaller than Apple, and they have far better web security than this. Simply unacceptable. Bad timing too. I was considering upgrading to Leopard, and paying for a .mac to use remote backup. Now I wonder how secure my data would be. More damaging: I don't trust this company to tell me if a problem appears.

Or Reset Safari

[lullabud]

There is an option to reset Safari, the same way Firefox does its clearing private data. It's found in Safari -> Clear Private Data.

On top of that, there's a mode specifically made for public terminals called "Private Browsing" which automatically deletes all session data when the browser window closes.

Along with the lack of a logout button, the problem here is compounded by users not using the software properly.

Re:The price of popularity

[devolutionist]

...and I'm sure they'll respond quickly to this one as well. The point I was making was not about the speed of their response, but rather about Apple's reaction - which is censoring posts and trying to sweep the bad press under the rug. They're more interested in trying to maintain an image than disclosing the issue, which is what everyone else in the OS market does. I don't recall MS or any of the *nix flavors ever *actively* trying to prevent news of an expliot from getting out.

Re:What?

[toddestan]

Obviously you did not read the article, as the issue here is said log out button doesn not work with iDisk.

Funny Apple-Store parking lot exercise...

[Dreadflint]

Because I am a mean old man, on at least one occasion I have visited the Apple store only to find someone has parked their new car in the parking lot...

How does this make me a mean old man?

When I find that mistake has been made, I run my key down the side of their car before leaving.

I have to admit, I never thought of looking for new tires, but I am not sure I am mean enough to slash someones tires...

Though I have considered smashing their windows.

I am trying to educate little darlings.

Re:Funny Apple-Store parking lot exercise...

[MisterSquid]

You're right on about this. Besides not seeing a connection between unwitting users and his behavior as malicious, he probably doesn't realize that doing what he is doing very likely runs afoul of several states' and many municipalities laws against abuse of computer resources.

He acts like a shitcock and figures he's doing people a favor. Fantastic.

Re:Funny Apple-Store parking lot exercise...

[IBitOBear]

I thought I was fairly obvious in my presentation of that as a malicious act. I didn't delve into the nature of what someone more malicious could have done, and what it seemed others had done before me, I thought it was fairly obvious. (someone had left open a chat history with personal information in it, which is how I noticed the active session in the first place).

Most of the time I am reasonably responsible. Like telling the phone center guy that his gmail account was registered on the iPhone I was looking at and people were browsing his email history. Of course in that instance I could actually find the relevant party. He had been trying to figure out why he kept getting strange emails and pissed responses from people on his contact list.

So I was a dick. Anybody can slip to the dark side from time to time.

Re:Your post spells out Apple's shortcomings...

[NMerriam]

No one is saying that a forum admin should evaluate the validity of the issue.

That's precisely what you're saying, otherwise Apple should just pay it's security team to be the forum administrators so that nothing is missed. You can't tell someone to forward some things and not others without asking them to evaluate the messages to determine which need forwarding. In order to evaluate which need forwarding, you need technical knowledge about what is being discussed.

Also you are creating a silly red herring. This particular security problem is independent of hardware or software. The problem and fix lie in a *web* interface

So because it's a web interface it isn't software? It doesn't require any technical knowledge to evaluate? That doesn't even make any sense. There's no difference between a web interface and a standalone application interface in terms of telling a security issue from someone just bitching or being an idiot.

Another silly red herring. There are qualified people between the forum admin and the developers. Isolating developers from the noise is a common thing in many organizations. If your silly scenario were true, if a forum guy could directly contact a developer then that would be yet another example of where a shortcoming may lie. Misrepresenting my position will not revive your failed logic.

Nor will misrepresenting mine. Triage is one of the most important and time-consuming parts of dealing with bugs and security issues, and if you think Apple's finest programmers are running the first-line triage on the bug database, you're crazy. They have a whole staff with actual technical training and resources available whose sole job it is to do that triage, and basically what you're suggesting is that every single Apple employee should be trained in those skills and have those resources, or that the triage team should take over every form of communication "just in case".

Because unless every Apple employee from the janitor to the shipping clerk knows as much as the triage team, they DON'T have the skills necessary to know what does and doesn't need to be reported to the triage team (hi, I'm a catch-22, nice to meet you!).

Unlocked car...

[argent]

It's more like finding someone had left their keys in their car's door... and moving the car to a far part of the parking lot to teach them a lesson. Someone once told me they'd done that, and was surprised that I didn't think it was terribly funny.

Surely there's some way in iChat to leave them a note.

The can of worms...

[argent]

There's many classes of related problems here.

You have sessions that are not terminated explicitly when the user leaves the work area. Leaving yourself logged in has been a problem as long as there's been remotely accessed computers. I remember sitting around in the computer center in the dark back in the '70s because the mainframe we were using automatically resumed checkpointed jobs and the computer center had a policy of not terminating them for power outages less than some period of time.

You have reusable authentication tokens or session IDs that aren't automatically revoked.

These combined are a common problem thanks to the statelessness of the web.

Adding to that the inability to explicitly log out?

Not good.

On the other hand, using shared devices with non-trivial persistent state is also a problem. At Usenix one year the word went out that everyone who had used Kerberos logins at the Usenix terminal room should change their passwords, because they'd found some trapdoored Kerberos software on a terminal there. As originally designed, Kerberos was meant to be used with workstations that were trivially re-imaged over the network... they had no persistent state. Now whether Athena workstations were really used that way or not, I don't know, I wasn't at MIT... but the intent was that they be treated as dataless workstations.

Any system running a web browser, unless it's operated by someone you trust and either re-imaged before you use it or locked down so that even a local attacker using the browser can't initiate a remote execution exploit on it, is not sufficiently secure that you should be trusting it with passwords or other authentication tokens that can be used to access any resources that you actually care about.

If Apple wanted to really attack security here, then the .Mac login screen would have a warning against using it from any location where this exploit was possible in the first place, and you would be able to indicate that you were working from an untrusted location, and if so you would be automatically prompted for your password after what most people would consider an annoyingly short period of inactivity...

And track IP addresses, so if you log on from an IP address that someone else had used, you got put in this mode automatically.

But, really, shared computers ... particularly at public locations ... really shouldn't be used for anything more than googling restaurants and browsing wikipedia.

Re:Your post spells out Apple's shortcomings...

[AHumbleOpinion]

"No one is saying that a forum admin should evaluate the validity of the issue."

That's precisely what you're saying, otherwise Apple should just pay it's security team to be the forum administrators so that nothing is missed...

I said no such thing. I was quite clear that the forum admin should *not* be reporting directly to developers, that there should be a qualified person to accept the report and decide if it has merit, and that person forwards to developers.

... You can't tell someone to forward some things and not others without asking them to evaluate the messages to determine which need forwarding. In order to evaluate which need forwarding, you need technical knowledge about what is being discussed.

No. If you do not possess the technical knowledge, or the authority to make the call, you forward it to someone who does, and again that should probably not be the developers.

"Also you are creating a silly red herring. This particular security problem is independent of hardware or software. The problem and fix lie in a *web* interface"

So because it's a web interface it isn't software? It doesn't require any technical knowledge to evaluate? That doesn't even make any sense. There's no difference between a web interface and a standalone application interface in terms of telling a security issue from someone just bitching or being an idiot.

You wrote: "that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers." The complexity you speak of is irrelevant, this is not application or OS code. The testing matrix is not all supported hardware models, it is the currently supported versions of Safari.

Triage is one of the most important and time-consuming parts of dealing with bugs and security issues, and if you think Apple's finest programmers are running the first-line triage on the bug database, you're crazy...

This is rediculous, your misrepresentation can not be accidental. I have written on multiple occasions that the forum admin should *not* be reporting directly to the developers. That the admin should be reporting to someone else, that this designated person filter out the noise.

... They have a whole staff with actual technical training and resources available whose sole job it is to do that triage, and basically what you're suggesting is that every single Apple employee should be trained in those skills and have those resources, or that the triage team should take over every form of communication "just in case". Because unless every Apple employee from the janitor to the shipping clerk knows as much as the triage team, they DON'T have the skills necessary to know what does and doesn't need to be reported to the triage team (hi, I'm a catch-22, nice to meet you!).

Actually, what I am suggesting is the following. Apparently you missed it, from my older post: Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scenario indicates that something is lacking at Apple.

Obligatory

[hsa]

Klaatu barada nikto!

Re:Perspective

[MLease]

Way to not read TFS, let alone TFA! The issue is not someone having access to your computer; the issue is logging onto your iDisk remotely from a public computer, and not being able to log out. This allows someone to track back through the browser history, and access your iDisk with your login credentials.

-Mike

Re:not a problem if you enable Private Browsing in

[Ilgaz]

not a problem if you enable Private Browsing in Safari Private browsing means no cookies, no history, no downloads window/history. It is a bit overkill instead of Apple fixing the issue themselves. Also all should remember .Mac is not a free service, it is a very expensive online service.

(From Safari Help)
When private browsing is turned on:

Webpages are not added to the history list.

The Downloads window is cleared so the name of anything you downloaded won't appear in the list. (To get rid of the downloaded item itself, you must delete it.)

Information isn't saved for AutoFill, including names and passwords.

Searches are not added to the pop-up menu in the Google search field.

Cookies are deleted.

Your Flawed analogy

[IBitOBear]

(Yes, I was a dick, I think I made that perfectly clear in the text.)

For the analogy to be correct, the new car would have to have been left running, unlocked, and unattended in the parking lot and I would have had to take it out and get it what? have it cleaned?

People who leave their cars running and unlocked and unattended get their cars stolen all the time. I didn't "steal" the account nor do the equivalent of taking the keys and throwing them into the bushes.

I also didn't take the car for a ride and run it into things or rack up a bunch of red-light camera offenses. (other people had been sending messages on the account).

Nor did I copy down the registration information and use it for my own purposes (someone had been looking through chat logs for phone numbers and such if the open window contents were to be believed).

So yea, I was a dick. Not my best moment by a long shot. I started with that. But at least criticize me with a reasonable analogy and perhaps understand why I shared the story in the form of a cautionary tale. 8-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Deleting comments

[stewbacca]

We don't know if Apple REALLY removed comments, or if this guy is just claiming they did. Secondly, we don't know the content of his comments. Perhaps they were vile and inappropriate and/or non-contructive? I'm trying to find more "proof" of this claim, but there is nothing linked in this /. "story". There's always a second side to the story as they say...

Could someone try it?

[Duke+Thomas]

What a minute, I've looked through all of the 4 mod level posts here, and I see defenses and attacks on apple, but has anyone actually bothered to try this?

• I open up Firefox.
• I go to http://idisk.mac.com/myawesomeusername ...
• I enter my username, I enter my password.
• I look around for a bit. There are no logout buttons, that is true. I can view or download this or that file, blah blah blah.
• I close Firefox.
• Then, I open up Firefox again.
• I go to http://idisk.mac.com/myawesomeusername again ...
• I also go to http://idisk.mac.com/myawesomeusername?view=web ...
• It asks for my username, password, again, in either case. When I decline to enter it, it tells me "unauthorized" and sends me on my merry way.

So... what the hell? Of course, what is a little more serious is that this data is all being sent plaintext, but the story as posted doesn't seem to be true, at least based on my casual test.

Also, isn't it considered good form to bother providing a link to the story we're summarizing? I know this is slashdot and no one bothers to read the text anyway, but for those that do, having to copy/paste URLs and browsing the site for the story being discussed is kind of stupid.

Re:Could someone try it?

[stewbacca]

You are correct...at least on a PC. When I close the browser out and try to go back in, I get either an account error, or I'm forced to log back in with my userid and login (depending on history you go back to). This is a non-problem propgated by the ever-so-popular movement to take cheap shots at Apple at any given turn, regardless of truth.

The only thing I can think of is if you go into the history on a Mac, it doesn't make you log back in, but I'll have to wait until I get home to try it.

Re:Could someone try it?

[sl3xd]

Well, if you aren't observant, if you go back in the history on a mac, depending on your browser, it can appear as bad as the topic claims.

Appearances can be deceiving, though.

Basically, if you use Safari, on a Mac, then you can go back into the history and view the files. Oh noes! A security breach!

Not really.

It only works after you've unlocked the login keychain, which has your .Mac login information. Keychain is similar to the KDE wallet, or any of a number of other password managers. (I use KDE's wallet because it's the closest thing i can think of - complete with an API so any app can use the keychain, so you don't have to write your own. I wish the FireFox devs would use the keychain on Macintosh. Oh well, I just use a browser that does instead.

Nearly every browser for OS X I've used uses the keychain - including Safari. So when you go back into your history, Safari uses the password stored in the keychain, fills in the password, and voila - you're in, no typing required, and you don't see the login prompt.

As mentioned (and I'm stressing it because it's important), Safari is using the keychain to authenticate, and is working as designed. So when iDisk's website asks for your username & password, Safari looks in the keychain, supplies the information immediately, and lets you go on with your life.

Naturally, to do this, you have to put your authentication information into the keychain.

You can get around this pretty easily: Don't be an idiot an put your passwords into a public system's keychain. It's every bit as stupid as storing passwords in IE (or FireFox's) password manager.

Re:Could someone try it?

[stewbacca]

Well I'm home and have been able to test it on a Mac. The problem exists ONLY if you close the window but don't quit the app. I've tested it in Safari, Firefox and Camino, and if you QUIT the application, you MUST reenter the login/password every time.

Simply put, you have to be a newbie Mac user and not understand that clicking the red button only closes the window (and doesn't quit the app). I can't vouch for your keychain explanation on public computers though. It seems like it wouldn't work, since everyone has a different keychain password anyway.

So to summarize, in every aspect, this is a non-story, except if you lack the understanding of how a Mac handles windows. Closing a window on a Mac doesn't quit the program. This has been standard-operating-procedure on Macs, though, since at LEAST 1988, so I fail to see how this is a security problem at all.

I guess Apple could put up a message saying, "Dear user, although you've closed the current window, you actually haven't quit the application. Welcome to Macintosh, circa 1984. Now stop applying Windows logic to our otherwise very solid operating system."

Re:Could someone try it?

[Duke+Thomas]

You are correct...at least on a PC. ... I'll have to wait until I get home to try it [on a Mac].

Yeah, actually I was doing it on a Mac, but it's good to have confirmation that I'm not completely insane. :)

Re:You are allowing a monkey to evaluate reports .

[Trillan]

I am not disagreeing with a single thing you said. It sounded like the parent wanted the report read by someone knowledgeable, and I pointed them in the right direction. If the goal was indeed to get it before eyes, I helped. If it was merely to complain, I did no damage. Nowhere did I defend any policy, only describe it.

Looks like you can log out

[xiaodidi]

If you look at any Finder window, you have a bar on the left hand side. If you right-click on the iDisk icon, you get a pulldown menu with the Eject option...
At least this works for my own iDisk on my own Mac.
If you don't see the bar on the left, you should activate it with the tiny rounded-rectangle button on the upper right of the Finder window.

Re:There is in fact a logout button. Top right.

[bfc_inc]

Funny, I seem to have a logout button too (and had one long before this "article" came out). And if, after clicking it, I "go back" in the browser, I have to log in again. Nothing gets cached for me. Now if I mount the iDisk on my desktop, it tends to hang around, but then that's how network drives are supposed to work. Cheers, tb

Re:Your post spells out Apple's shortcomings...

[Actually,+I+do+RTFA]

. Triage is one of the most important and time-consuming parts of dealing with bugs and security issues, and if you think Apple's finest programmers are running the first-line triage on the bug database, you're crazy. They have a whole staff with actual technical training and resources available whose sole job it is to do that triage, and basically what you're suggesting is that every single Apple employee should be trained in those skills and have those resources, or that the triage team should take over every form of communication "just in case".

While I enjoy a false dilemma as much as the next man, this is a ludicrious position. User X reports a problem. Admin Y on a webboard sees it, tells other Apple employee Z about it. Z tells Y that it is known, or unknown and they will deal with it, whatever. Y then a) Fills out a for so that other webboard admins know about the issue (if not done automatically as a sideeffect of telling Z), messages X to let him know what is going on, and, if it is a false issue, removes it or adds a comment to the story.

Is it just me or is this article wrong

[puggsly]

I didn't buy it so I tried it. I opened Safari and connected to my iDisk on the web. I quit Safari and went into history and I was asked for a password. I guess had I not quit safari and the session had not timed out, maybe then but I think I could run into that on Amazon! Am I missing something? Maybe that is why Apple deleted the posting because it was wrong! Just a thought?